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Introducing  Microsoft  Windows  Server  2003.  Do  more  with  less. 

You’re  being  asked  to  do  more.  You’re  being  asked  to  do  it  with  less.  Microsoft”  Windows"  Server  2003  is  designed 
to  help  you  manage  these  opposing  forces  with  powerful  server  consolidation  capabilities  that  increase  efficiency, 
decrease  man-hours,  and  lower  your  total  cost  of  ownership.  Download  your  free  evaluation  copy  of  Windows 
Server  2003  at  microsoft.com/windowsserver2003  Software  for  the  Agile  Business. 

Information  Resources,  Inc.  (IRI)  manages  over  122  terabytes  of  data  to  provide  consumer  behavior  insights ,  advanced 
analytics,  and  decision  analysis  tools  for  some  of  the  largest  consumer  packaged  goods,  healthcare,  retail,  and  financial 
companies  in  the  world.  To  meet  increasing  demand  for  faster,  more  granular  business  intelligence  while  reducing 
costs,  IRI  is  using  64-bit  editions  of  Windows  Server  2003  and  SQL  Server ™  2000  on  an  Intel  Itanium  2  system  to 
deliver  faster  answers  to  its  customers.  The  result?  IRI  will  be  able  to  process  more  queries,  using  a  fraction  of  the 
number  of  servers  while  realizing  significant  cost  savings  and  improving  customer  service. 
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is  getting 
wireless. 


IBM  recommends  Microsoft  Windows  XP  Professional  for  Business 


Implementing  a  wireless  network  is  an  excellent  way  to  increase  your  employees’  efficiency  and  productivity  But  it 
can  seriously  backfire  if  they  can’t  even  get  online.  So  what  can  you  do?  Give  them  PCs  that  are  designed  to  really 

work  wirelessly  Select  IBM  ThinkPad’  PCs  are  equipped  with  Inter"'  Centrino™  Mobile  Technology  that  keeps  your 
employees  online  when  they’re  working  wirelessly.  And  Access  Connections  software  automatically  switches 
network  connections  for  your  employees  -  which  can  increase  productivity  per  user  by  up  to  20%*.  That  means 
less  IT  gridlock  -  and  much  more  time  for  IT  to  focus  on  your  business  strategy.  Learn  more  at  ibm.com/pc/think 


Think  mobility  ThinkCentre 

ThinkPad 


ThinkVision 


As  of  today,  security  is  not  just  about  what  you 


K\  McAfee 

^  T  SECURITY 


Start  with  Intrusion  Prevention  Solutions  from  McAfee  Security®  and  dis¬ 
cover  how  to  go  beyond  merely  detecting  threats  to  preventing  them  altogether. 
With  McAfee®  System  Protection  and  Network  Protection  Solutions,  your  business 
is  completely  protected — from  the  core  to  the  edge  of  your  network,  including 
servers  and  desktops. 

It’s  about  what  you  can 


Start  building  productivity  faster.  Knowing  your  network  and  systems  are 
safe  from  both  known  and  unknown  threats,  you'll  be  free  to  focus  on  bigger 
picture  issues,  like  maximizing  the  ROI  of  your  technology  investment. 

Start  saying  yes  to  users  more.  Users  want  full  Internet  access,  they  want 
laptops,  they  want  PDAs,  they  want  wireless,  and  they  don't  want  to  hear  about 
how  security  concerns  outweigh  their  needs.  Now  they  don't  have  to.  Because 
with  McAfee  Security  you  can  start  giving  them  the  technologies  they  need 
without  giving  up  the  security  your  enterprise  demands. 

Start  growing  securely.  When  you're  secure  you  can  start  thinking  more 
about  how  ideas  spread  and  less  about  how  network  threats  spread.  You  can 
start  expanding  what  your  network  can  do,  not  simply  reducing  what  hackers 
can  do.  You  can  start  chasing  what  you're  after,  not  what's  after  you. 

Start  today  at  start.mcafeesecurity.com 


Network  Associates' 


Network  Associates  and  McAfee  Security  are  registered  trademarks  or  trademarks  of  Network  Associates,  Inc.  and/or  its  affiliates  in  the  US 
and/or  other  countries.  All  other  registered  and  unregistered  trademarks  herein  are  the  sole  property  of  their  respective  owners.  ©  2003 
Networks  Associates  Technology,  Inc.  All  Rights  Reserved. 
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The  right  software  can  help  today's  CIO 
become  tomorrow's  corporate  leader. 

It's  amazing  what  the  right  software  can  do  in  the  right  hands.  Just  ask  the 
CIOs  taking  advantage  of  our  management  software  for  utility  computing. 
They've  transformed  previously  complex  disparate  infrastructures  into 
integrated  springboards  for  business  success.  And  they've  capitalized  on 
tomorrow's  trends  while  heading  off  today's  problems,  all  while  maximizing 
their  existing  resources.  To  learn  how  management  software  can  benefit 
your  business,  not  to  mention  your  career,  go  to  ca.com/management3. 
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Deploying  our  ERP  application 
on  our  tight  deadline  would 
have  been  impossible.  With 
Citrix,  we  not  only  made  our 
deadline,  we  also  drastically 
reduced  our  deployment  costs.” 

Curtis  Robb,  CIO 

Delta  Air  Lines,  Inc. 


INFRASTRUCTURE  FOR  THE  ON-DEMAND  ENTERPRISE 

In  the  airline  business,  being  on  time  is  everything. 
And  for  Delta  Air  Lines,  their  ERP  deployment  was 
no  exception.  But  with  12,400  individual  desktops 
to  manage,  they  needed  a  faster  route  to  meet  their 
deadline.  So  they  turned  to  Citrix  for  a  simplified 
and  more  cost-effective  solution.  Not  surprising, 
considering  that  99%  of  the  Fortune  500  use  Citrix® 
software  to  deploy  applications  centrally  for  secure, 
easy,  and  instant  access  to  business-critical  information 
-  anywhere,  anytime,  from  any  device.  We  call  it 
the  on-demand  enterprise.  And  it’s  helping  more 
than  120,000  of  our  customers  save  money  and 
reduce  IT  complexity.  To  learn  what  it  can  do  for 
your  business,  visit  www.citrix.com. 


CiTRIX 


©2003  Citrix  Systems,  Inc.  Al  rights  reserved.  Citrix  is  a  registered  trademark  of  Citnx  Systems.  Inc.  in  the  U.S.  and  other  countries.  All  other  trademarks 
and  registered  trademarks  are  the  property  of  their  respective  owners.  Delta  and  Delta  Air  Lines  are  registered  trademarks  of  Delta  Corporate  Identity.  Inc. 
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CAN  YOUR  SOFTWARE  TELL  YOU  WHICH  ONE? 


Business  Service  Management  solutions  from  BMC  Software® 
can.  In  fact,  they  let  you  predict  critical  performance 
problems  and  resolve  them  before  they  ever  impact  your 
business.  And  you  can  prioritize  IT  management,  invest¬ 
ments  and  resource  allocations  to  optimize  your  business 
performance.  So  you  can  solidly  align  your  IT  investments 
with  strategic  business  goals.  And  protect  the  delivery  of 


vital  business  services  like  sales,  customer  service,  online 
transactions,  logistics  and  distribution — whatever  is 
most  critical  to  your  company's  success.  It's  enterprise 
management  software  that  works  with  your  existing  IT 
resources  to  let  you  manage  what  matters  from  a  business 
perspective  and  execute  with  precision.  Find  out  how  at 
www.bmc.com/bsml 

<bmcsoftware 


INTERACTIVE 

>features 


from  November  1  to  November  15 


r  m 


ASK  THE  SOURCE 

How  Do  You  Fix  Poor  Performers? 

You  know  the  rotten  apples  in  the  barrel 
will  infect  other  workers  with  their  poor 
attitudes  (see  How  to  Find,  Fix  or  Fire 
Your  Poor  Performers,  Page  60).  But  as 
Dick  Grote,  president  of  Grote  Consulting, 
says,  “managers  would  rather  have  a 
tooth  pulled  than  have  a  performance  conversation  with  a  subordinate." 
So  what  is  the  best  way  to  have  the  worst  conversations?  Through  Nov.  15, 
Grote  will  be  on  hand  online  to  help  you  confront  or  convert  your  bottom- 
feeders.  Go  to  www.cio.com/ask. 


Dick  Grote  of  Grote  Consulting 


How  to  Get  Really 
Strategic 

Robert  Kaplan  and  David  Norton 
developed  the  Balanced  Score- 
card  concept  in  1990.  Now  they’re 
tackling  the  real-life  issues  of 
strategy  (see  Strategy  in  Action, 
Page  94).  If  you’re  about  to  tackle 
some  strategic  issues  of  your  own, 
check  out  the  IT  Strategy  section 
of  the  Leadership  and  Manage¬ 
ment  Research  Center  (go  to 
www.cio.com/leadership).  For 
more  on  the  ins  and  outs  of  the 
strategy  game,  look  into  our 
exclusive  CIO  Focus  on  Strategic 
Planning:  How  to  Develop  and 
Align  IT  Strategy.  It’s  for  sale 
now  at  The  CIO  Store  (go  to 
www.theciostore.com ). 


ADD  A  COMMENT 

How  Do  You  Squash  Spam? 

As  if  you  didn’t  know:  Spam  constitutes  40 
percent  to  60  percent  of  corporate  e-mail  traffic 
(see  Be  a  Spam  Slayer,  Page  72).  So  you  also 
know  that  even  making  a  dent  in  spam  turns  you 
into  a  hero.  From  filtering  to  outsourcing  to 
brewing  your  own  toxic  antispam  cocktail  mix, 
how  have  you  battled  the  dark  forces  of  spam? 

How  Do  You  Placate  Patches? 

The  current  manufacturing  process  for  patches— from  disclosure  of  a  vulnerability  to  the 
creation  and  distribution  of  the  updated  code— makes  patching  untenable  (see 
FrankenPatch,  Page  100).  But  the  only  way  to  fix  insecure  post-release  software  is  with 
patches.  What’s  a  CIO  to  do?  What  do  you  do? 

»  Share  your  tried-and-true  tactics— or  read  what  your  peers  have  used  successfully— in  the 
ADD  A  COMMENT  sections  at  the  end  of  the  online  versions  of  these  features. 

LEARN  MORE 

How  Do  You  Get  the  Most  Value  from  IT  Vendors? 

Do  you  imagine  that  your  peers  have  learned  the  secrets  of  getting  the  best  of  their  vendors? 
Do  you  wish  you  knew  what  they  knew?  Now  you  can.  Read  the  full  results  of  the  exclusive  CIO 
survey  Getting  Value  from  IT  Vendors  online  at  www2.cio.com/research. 


Our  Daily  Web 

Check  out  Chris  Lindquist’s 
Tech  Tact  column  for  insight  into 
the  latest  business  technology  to 
help  you.  Look  for  it  Mondays. 


Between  nine  years  of  archived 


issues,  24  Research  Centers,  daily 
online  exclusives,  jobs  listings 
and  experts’  opinions,  CIO.com 
has  more  than  20,000  pages.  We 
realize  that  finding  information  on 
such  a  large  site  can  be  a  chal¬ 
lenge,  so  we  put  together  a 
special  online  tour  to  guide  you 
quickly  and  easily  to  all  you  need 
to  know.  To  take  a  swing  around 
the  site,  go  to  www.cio.com/tour. 
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SyncMastet  192i 


That’s  DigitAII  vision. 

How  do  you  become  the  fastest  growing  50  billion- 
dollar  retailer  in  history  with  over  200  new  stores 
PvNjKjJ  opening  this  year  alone?  With  unparalleled  vision  and 
absolute  clarity.  That’s  why  The  Home  Depot®  chooses 
Samsung  —  the  world’s  leading  manufacturer  of  TFT-LCD  displays. 


Super-bright,  razor-sharp  . . 

19"  analog/digital  TFT/PVA  display 

Unique  dual-hinge  base  allows 
up  to  90°  tilt  for  optimal  ergonomics 

1280  x  1024,  Xtrawide™  1707170° 
viewing  angle,  VESA®  wall-mountable  base 

World’s  leading  manufacturer  of 
TFT-LCD  displays 


And  now  Samsung’s  commitment  to  the  big  picture  continues 
with  the  innovative  display  technology  found  in  the  new  SyncMaster 
192T,  allowing  your  future  to  appear  just  as  bright. 


Add  vision.  Add  possibility.  Add  Samsung. 


•  Visit  www.samsungusa.com 

©2003  Samsung  Electronics  America,  Inc.  Screen  images  are  simulated. 


From  the  Editor 

limdberp@cio.com 
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Need  help  with  employee 
problems?  Until  Nov.  15, 
Dick  Grote,  a  consultant 
specializing  in  performance 
appraisal,  will  be  online  to 
answer  your  questions  at 
ASK  THE  SOURCE 
( www.cio.com/ask ).  And 
you  can  always  check  out 
the  online  STAFFING 
RESEARCH  CENTER 
( www.cio.com/staffing ). 


Performance  Arts 


MANAGING  PEOPLE’S  performance  is  one  of 
the  least  favorite  jobs  of  many  executives,  yet  it  is 
without  question  a  critical  success  factor.  If  your 
employees  are  not  performing  to  the  best  of  their 
abilities,  you  are  wasting  time  and  money. 

So  why  do  we  hate  this  part  of  the  job? 

1.  We  are  taught  not  to  “judge”  others,  so  many 
of  us  feel  uncomfortable  assessing  individuals’  tal¬ 
ents,  skills  and  attitude  and,  especially,  communi¬ 
cating  that  directly  to  the  person  in  question. 

2.  It’s  time-consuming.  The  evaluation  part  alone 
requires  hours  of  gathering  and  reviewing  data, 
and  analyzing  what  it  means  in  the  context  of  the 
individual,  the  job  he’s  assigned  to  and  the  organ¬ 
ization  overall. 

3.  It  often  involves  telling  people  things  they 
don’t  want  to  hear,  and  asking  them  to  do  things 
they  don’t  want  to  do. 

4.  The  benefits,  while  very  real,  are  indirect,  and 
it’s  a  never-ending  process — there’s  no  end  date  to 
performance  management.  (Sure,  you  can  fire  a 
poor  performer,  but  you  still  have  to  manage  her 
successor’s  performance.) 

5.  In  times  of  lean  budgets,  it  can  be  more  difficult 
to  reward  good  performers  financially,  so  it  may  be 
tempting  to  avoid  the  conversation  altogether. 

CIOs  who  have  embraced  the  performance- 
management  part  of  their  jobs  dismiss  such  objec¬ 
tions.  In  fact,  they’ll  tell  you,  there’s  nothing  more 
important  to  CIO  success  than  building  and  con¬ 


tinually  tuning  a  high-performance  team.  For  some, 
that  is  the  job.  (See  Meridith  Levinson’s  “How  to 
Find,  Fix  or  Fire  Your  Poor  Performers”  Page  60.) 

Inexperienced  managers  sometimes  think  they’ll 
spare  the  feelings  of  their  staffers  if  they  avoid  the 
honest  truth  about  their  weak  performance.  Noth¬ 
ing  could  be  further  from  the  truth.  Most  people 
are  good  at  something — as  a  leader  it’s  your  job 
to  help  them  improve  at  what  they’re  doing  if  pos¬ 
sible  and,  if  not,  help  them  find  an  alternate  path 
once  they  really  hit  the  wall. 

There  are  many  tools  available  to  aid  in  per¬ 
formance  evaluation  and  management.  One  of  the 
most  controversial  is  forced  ranking.  As  with  any 
method,  there’s  a  right  and  a  wrong  way  to  do  it. 

I  once  knew  a  CIO  who  attracted  and  retained 
top  talent,  and  developed  a  uniquely  high  per¬ 
forming  team.  Yet  his  company  insisted  he  (and  all 
the  other  executives)  use  forced  ranking  not  only  to 
evaluate  their  staff  but  to  annually  eliminate  the 
bottom  10  percent.  After  the  first  year  or  two,  there 
were  no  bad  performers  left,  and  he  was  having  to 
fire  people  he  believed  to  be  capable,  talented  IT 
professionals.  This  clearly  did  not  serve  the  organ¬ 
ization  or  its  people  well,  and  it’s  no  surprise  he 
didn’t  stay  with  that  company  for  long.  It’s  also  no 
surprise  that  a  good  many  of  those  employees  fol¬ 
lowed  him  to  his  next  assignment. 

Do  you  agree  that  effective  performance  man¬ 
agement  is  key  to  your  success?  Let  me  know. 
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Connect.  Any  Way  You  Want. 


IT  budgets  and  staff  have  been  slashed 


Fortunately  you  have  the  most  manageable 

video  conferencing  systems  in  the  world 


With  IT  resources  scarcer  than  ever,  you  need  Polycom's  integrated  video  conferencing 
systems.  They're  user  friendly,  easy  to  upgrade,  manage  and  maintain.  Deployment  is 
virtually  "plug  and  play."  And,  monitoring  and  management  is  centralized.  It  all  adds  up 
to  a  great  ROI  for  your  team  and  your  company.  Join  the  millions  of  people  worldwide  that 
already  use  Polycom  and  The  Polycom  Officer  With  integrated  video,  voice,  data,  and 
Web  applications,  The  Polycom  Office  makes  communicating  as  natural  as  being  there. 


For  more  information  and  your  free  white  paper  "Demystifying  IP  Migration"  visit 
www.polycom.com  or  call  1-877-POLYCOM.  Ask  about  the  outstanding  new  Polycom 
VSX,M  7000  -  video  conferencing  like  you've  never  seen  it.  Polycom.  The  time  for 
manageable  video  conferencing  is  now. 


POLYCOM 


©2003  Polycom,  Inc  All  rights  reserved.  Polycom  and  the  Polycom  logo  are  registered  trademarks  and  VSX,  Polycom  Office 
and  the  SoundStation  industrial  design  are  trademarks  of  Polycom,  Inc.  in  the  U  S.  and  various  countries 


When  you  distribute  information  to  a  few  users,  it's  easy. 


From  one  user  to  millions,  from  casual  through  power  users,  from  your  employees  to  your  partners  and  customers,  Information  Builders 
can  provide  you  with  the  most  cost-effective  way  to  get  more  consistent  information  to  more  people,  Our  WebFOCUS  enterprise 
reporting  software  is  the  proven  solution  used  by  80%  of  Fortune  100  companies  to  optimize 
business  performance.  See  how  to  simplify  a  complex  environment  by  casing  800-969-INFC 
or  visit  nformationbuilders.com  for  a  demonstration.  Information  Builders.  ANSWERS. 
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Reader  Feedback 


HUMAN  FACTORS  ARE  THE  REAL  PROBLEM 

I  take  issue  with  the  premise  that  the  faults  in  demand  forecasting 
can  be  attributed  to  software  that  underperformed  vendor 
promises  and  hype  (“Future  Results  Not  Guaranteed,"  July  15, 

2003).  Frankly,  the  article  was  unbalanced  and  overly  critical  of 
technologies  that,  in  many  cases,  are  saving  companies  millions  of  dollars  per 
year,  improving  customer  service  levels  significantly,  enabling  the  beneficial  redeployment 
of  production,  inventory  and  financial  assets,  and  overall  improving  shareholder  value. 

It  was  telling  that  the  article  did  not  include  one  reference  to  a  statistical  forecasting  success. 
One  of  the  companies  mentioned  in  the  article  has  told  us  that  our  forecasting  software  solution 
was  instrumental  in  achieving  a  20  percent  inventory  reduction  together  with  a  10  percent 
increase  in  customer  service  levels— in  less  than  one  year.  In  addition,  the  software  helped 
streamline  the  forecasting  process  and  increased  the  percentage  of  product  items  forecasted 
from  20  percent  to  80  percent.  And  this  company  also  claims  that  it’s  not  yet  tapping  the  full 
potential  of  the  product. 


In  many  cases,  it  is  the  human  factors, 
not  the  software  solutions,  that  impede 
the  ability  of  customers  to  realize  these 
and  other  types  of  positive  results.  Com¬ 
panies  often  purchase  the  wrong  soft¬ 
ware  product  for  the  wrong  job  or  the 
wrong  reasons.  In  addition,  insufficient 
data,  internal  politics,  limited  resources 
and  lack  of  commitment  to  proper  imple¬ 
mentation  are  major  factors  in  their  inabil¬ 
ity  to  achieve  forecasting  success. 

Charles  N.  Smart 
President 
Smart  Software 

BECHTEL  BOUNCES  BACK 

Your  July  15,  2003,  article  on  wireless 
technology  applications  (Emerging  Tech¬ 
nology,  “Building  on  Air”)  makes  the 
claim  that  Bechtel’s  new  bookings  from 
1999  to  2001  slid  in  part  because  of 
controversy  over  the  award-winning 
Central  Artery/Tunnel  Project  in  Boston, 
which  Bechtel  is  helping  to  manage  as 
part  of  a  joint  venture. 

The  truth  is  that  Bechtel,  like  other 
firms  in  the  engineering  and  construc¬ 


tion  industry,  was  simply  a  victim  of  the 
economy’s  cyclical  turn  from  boom  to 
bust.  Bechtel’s  bookings  subsequently 
jumped  37  percent  in  2002,  evidence 
that  our  company  has  strong  forward 
momentum — and  that  our  reputation 
remains  as  excellent  as  ever. 

Jonathan  Marshall 
Media  Relations  Manager 
Bechtel 

jvmarsha@bechtel.c07n 

CREATING  A  GLOBAL 
WORKFORCE 

You  missed  a  couple  of  points  in  your 
Offshore  Outsourcing  Special  Report 
(Sept.  1,  2003).  You  present  the  choice 
as  either  in-house  or  offshore.  The  real 
choice  is  in-house  or  outsource.  The  high 
degree  of  specialization,  coupled  with  a 
shortage  of  specialized  talent,  forces 
many  of  us  to  seek  outside  help.  Once 
this  decision  is  made,  the  comparison  is 
reduced  to  nearshore  or  offshore.  In  this 
light,  the  availability  of  quality  resources 
at  reasonable  prices  makes  the  offshore 
strategy  a  very  strong  one. 


I  would  also  stress  another  point 
absent  from  the  article  and  lacking  any 
focus  by  the  press.  My  company  has 
actually  saved  jobs  by  going  offshore. 
Our  presence  on  the  Internet  started,  as 
did  many,  during  the  dotcom  boom.  The 
bubble  burst,  and  many  companies  ter¬ 
minated  their  dotcom  workforce  and 
abandoned  their  e-commerce  plans.  We 
were  able  to  shift  some  of  the  work  off¬ 
shore,  and  by  so  doing,  we  saved  our 
site  and  several  jobs  managing,  designing 
and  running  it. 

The  popular  view  today  appears  to 
frame  the  issue  as  a  choice  between 
American  labor  and  foreign  labor.  If  not 
for  “cheap”  labor  abroad,  goes  the  argu¬ 
ment,  we  would  be  able  to  retain  our 
jobs  here.  It  is  not  that  simple. 

We  have  shrinking  resources  in  the 
area  of  technical  talent,  and  we  have 
shrinking  budgets  for  investments  in 
technology.  The  solution  to  both  prob¬ 
lems  will  be  found  in  striking  a  balance 
and  utilizing  a  global  workforce. 

Craig  Hergenroether 
CIO 

Barry-Wehmiller  Cos. 

DEVELOPMENT  DEBATE 

CIOs  need  to  understand  that  there  are 
cost-effective  alternatives  to  outsourcing. 

Michael  Schrage’s  comparison  to  agile 
methods  such  as  XP  is  brilliant  (“Don’t 
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Demand  a  higher  return  on  your  hosting  investment.  More 
than  350  companies  around  the  world  look  to  Data  Return 
to  run  their  mission-critical  business  applications  with 
unparalleled  levels  of  availability,  performance  and  scalability. 
Our  change  management  system,  intelligent  performance 
analysis,  custom  application  support  and  scalability  services 
ensure  your  applications  will  run  well  today  and  are  ready  for 
tomorrow.  Enterprise  managed  hosting  has  been  our  sole 
focus  for  more  than  six  years,  so  we're  as  serious  about  the 
success  of  your  application  as  you  are. 
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Trust  Your  Code  to  Strangers,”  Sept.  15, 
2003).  Readers  should  be  aware  that  it  is 
not  an  either-or  proposition,  and  the  two 
can  be  used  together.  For  example,  instead 
of  CIOs  making  significant  commitments 
by  negotiating  long-term,  multiple-year 
contracts  with  outsourcers,  they  should 
consider  applying  agile  methods. 

Principles  such  as  “early  and  continu¬ 
ous  delivery  of  valuable  software”  can 
be  incorporated  into  an  outsourcing  con¬ 
tract.  An  enterprise  should  be  able  to 
drop  an  outsourcer  at  any  time  and  walk 
away  with  working  software.  Consider 
making  the  contract  based  on  iterations 
of  no  longer  than  a  couple  of  weeks. 

Another  agile  principle — “At  regular 
intervals,  the  team  reflects  on  how  to 
become  more  effective,  then  adjusts  its 
behavior  accordingly” — can  be  used  as  a 
cost-saving  measure.  Many  contracts 
force  a  particular  mode  of  interaction 
that  has  to  be  carried  out  even  though 
people  have  figured  out  better  ways  of 
interacting.  There  are  outsourcers  in  other 
lands  such  as  Idaho  and  Iowa  that  prac¬ 
tice  agile  outsourcing  methods  that  will 
match  the  rates  of  the  large  outsourcers 
in  India.  CIOs  should  consider  these  as 
viable  alternatives. 

Learn  to  crawl  before  you  walk.... 

James  McGovern 
Enterprise  Architect 
james@architectbook.  com 

Recently  I  was  teaching  a  class  of  exec¬ 
utives  at  a  local  utility  about  how  to 
manage  project  managers  and  provide 
an  effective  project  management  envi¬ 
ronment.  The  question  came  up  about 
whether  outsourcing  is  effective.  I  quoted 
some  recent  research  that  showed  that 
India  has  far  more  SEI-CMM  Level  5 
organizations  than  we  do,  yet  getting  good 
applications  is  still  highly  problematic. 

My  own  research  shows  that  the  prob¬ 
lem  lies  not  in  the  coding,  but  in  the 
requirements-gathering  process.  Nobody 
can  understand  your  business  require¬ 
ments  better  than  you  do.  If  your  devel¬ 


opers  are  in  your  own  company,  it’s  easy 
to  clear  up  confusion  about  requirements. 
If  your  developers  are  half  a  world  away, 
there’s  virtually  no  hope  of  getting  your 
requirements  understood. 

When  I  made  that  statement,  I  could 
see  heads  nodding,  and  one  manager 
said  he  had  to  bring  some  of  the  devel¬ 
opment  personnel  to  the  United  States 
to  get  a  handle  on  the  requirements. 

I  also  stated  that  if  your  applications 
are  being  developed  overseas,  you  have 
no  insight  into  any  additional  code  they 
put  into  the  application.  They  could  eas¬ 
ily  put  a  back-door  access  into  your  sys¬ 
tem,  and  you  don’t  have  any  idea  about  it 
unless  you’re  specifically  testing  for  it.  But 
that  would  add  significantly  to  the  cost. 

Frank  R.  Parth 
President 
Project  Auditors 
fparth@projectauditors.  com 

As  a  project  manager  15  years  ago,  I  dis¬ 
covered  that  the  best  requirements  defin¬ 
ition  and  design  from  the  user  viewpoint 
was  created  when  the  analysts  and  devel¬ 
opers  knew  the  work  environment. 

Even  if  they  don’t  actually  work  in 
the  job,  they  need  to  be  there  to  watch 
the  end  users  and  see  what  is  happening 
around  them.  If  we  had  developed  the 
application  design  in  this  project  accord¬ 
ing  to  the  current  IS  standards,  the  sys¬ 
tem  would  never  have  been  used.  By 
understanding  how  the  end  users  had  to 
work,  what  they  needed  to  accomplish 
and  the  high-stress  environment  they 
were  in,  we  were  able  to  design  an  appli¬ 
cation  they  could  use  and  that  actually 
improved  their  work. 

Ginny  Dugan-Earley 
Senior  Business  Systems  Analyst 
vduganea@yci.  com 

MERRILL  LYNCH  AND 
INFORMATION  SECURITY 

I  admire  Merrill  Lynch’s  approach  to 
gaining  competitive  advantage  and 
moving  to  newer  technology  platforms 


(“Merrill  Lynch’s  Billion-Dollar  Bet,” 
Sept.  15,  2003).  But  I  wonder  if  the 
project  can  truly  reach  its  expected 
value.  With  a  1,500-page  contract  (psst, 
the  lawyers  are  the  real  winners)  and  all 
of  the  major  IT  players  and  consultants 
involved,  there’s  a  strong  possibility  that 
this  will  end  up  as  a  Harvard  Business 
School  business  case  for  MBAs — let’s 
hope  as  a  successful  one. 

The  true  “success”  in  this  project  is 
leadership.  Merrill  should  be  applauded 
for  taking  the  plunge  and  moving  with 
the  very  best  technology  partners  and 
consultants  available.  But  more  impor¬ 
tant,  the  company  should  be  applauded 
for  its  approach  to  project  governance — 
now  and  for  the  duration  of  the  con¬ 
tract.  Continued  excellent  leadership  and 
project  governance  will  determine  the 
success  of  the  project  in  the  long  run. 

One  thing  that  did  worry  me  slightly 
is  corporate  security.  I  didn’t  notice  any 
reference  to  it  in  the  article  and  wonder 
if  Merrill  considers  this  core.  If  not,  I 
suspect  that  this  will  cause  others — cus¬ 
tomers,  managed  security  providers — to 
take  note  and  reassess  their  options. 

Best  of  luck  Merrill! 

John  G.  Keogh 

Managing  Partner 
VirtualExecs  International 
johnkeogh@vexinc.com 

I  was  disappointed  that  “Merrill  Lynch’s 
Billion-Dollar  Bet”  lacked  reference  to 
an  information  security  plan.  This  is  of 
particular  concern  given  the  increased 
importance  and  profile  of  security  prac¬ 
tices  across  all  business  systems,  but  in 
particular  with  Merrill’s  requirement  for 
compliance  under  the  Gramm-Leach- 
Bliley  Act. 

Mark  Johnson 

Chief  Information  Security  Officer 
Halliburton 
mark.johnson.S@halliburton.com 

Merrill  Lynch  responds:  Naturally, 
Merrill  Lynch  is  extremely  focused  on 
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information  security,  privacy  and  regulatory 
compliance  for  the  Wealth  Management 
Technology  Platform  (WMTP)  effort  as  well 
as  all  of  our  other  technology  and  business 
initiatives. 

Full-time  information  security  and  pri¬ 
vacy  experts  have  been  part  of  the  WMTP 
team  since  its  inception.  The  service-level 
agreements  (SLAs)  discussed  by  John  Cum¬ 
mings  and  Byron  Vielehr  in  the  article 
include  detailed  sections  for  the  vendors  to 
adhere  to  Merrill  Lynch’s  security  require¬ 
ments  and  appropriate  laws  and  regula¬ 
tions.  Examples  of  the  kinds  of  SLAs  include 
customer  data  protection,  system  and  data 
security,  antivirus  control  and  remediation, 
incident  response,  and  personnel  security. 
Monitoring  and  oversight  of  the  SLAs  and 
actual  security  implementation  is  provided 
for  in  the  ongoing  management  of  the 
WMTP  service. 

David  Bauer 

Chief  Security  &  Privacy  Officer 

Merrill  Lynch 

JOURNEY  OUT  OF  DEPRESSION 

The  topic  of  burnout  is  near  and  dear  to  me. 
I  recognized  all  the  signs  and  symptoms  you 
described  in  “The  M.I.A.  CIO”  [Hot 
Seat,  Oct.  1,  2003].  I  spent  the  past  two 
years  pursuing  my  MBA  while  working  full 
time.  Two  years  of  extreme  stress,  a  steady 
diet  of  fast  food  and  running  on  about  four 
hours’  sleep  a  day  were  killing  me. 

As  I  went  into  the  last  semester  of  school, 
my  family,  classmates  and  coworkers  all 
commented  on  how  much  my  disposition 
had  changed.  I  had  once  been  a  happy,  cheer¬ 
ful,  active,  outgoing,  “glass  is  half  full”  kind 
of  guy.  I  had  gained  weight  and  become 
sedentary.  I  was  frustrated  and  angry  with 
my  work,  disillusioned  about  my  educa¬ 
tional  progress,  and  yelling  at  my  wife  and 
kids  about  the  smallest  things. 

In  retrospect,  things  were  great.  I  was  car¬ 
rying  an  A  average  at  a  top-25  B-school.  I 
had  two  wonderful  boys  and  a  wife  who 
was  essentially  a  single  mother  keeping  our 
household  and  family  functioning  and 
together  while  I  was  at  work  and  school.  I 


was  getting  raises  at  work  during  a  period 
when  raises  were  frozen  by  company  policy 
due  to  industry  and  economic  conditions. 
So  why  was  I  so  bitter? 

One  word:  depression.  My  wife,  who  had 
some  experience  with  depression  in  her  fam¬ 
ily,  recognized  the  signs  and  asked  me  to 
see  the  doctor.  I  took  an  honest  look  at  the 
changes  in  myself  and  agreed.  I  started  med¬ 
ication  and  saw  an  immediate  improvement. 
The  really  scary  thing  is  that  I  have  a  mild 
case.  My  dosage  is  “entry  level,”  and  less  than 
one-quarter  what  people  with  severe  depres¬ 
sion  take.  I  can’t  imagine  what  kind  of  hell 
a  truly  deep  depression  must  be. 

But  I  learned  some  lessons  in  this.  First, 
depression  is  a  treatable  physical  chemical 
imbalance.  Second,  it’s  caused  by  long-term 
exposure  to  high  stress  levels.  Third,  I 
learned  all  the  success  in  the  world  can’t 
make  you  happy  if  you’re  sick.  I  was  sick, 
but  I  was  surrounded  by  people  who  cared 
about  me;  they  helped  me  turn  the  corner. 

Your  tips  for  reenergizing  are  great,  but 
they’ll  probably  be  ineffectual  for  a  depressed 
CXO  in  the  long  run.  Depression  is  a  med¬ 
ical  condition  and  can  only  be  diagnosed  by 
a  doctor.  However,  there  are  plenty  of  self- 
evaluation  tools  to  help  a  stressed  individual 
decide  if  a  trip  to  the  doctor  is  in  order. 

Anonymous 
Senior  Consultant,  IT  Security 

CORRECTION 

In  “Birth  of  a  Salesman”  (Sept.  15, 2003),  we 
incorrectly  reported  the  number  of  users  that 
Network  Associates’  Siebel  CRM  system  will 
support.  The  company  plans  to  roll  it  out  to 
1,500  users.  Also,  CIO  Dale  Veno,  who  pro¬ 
motes  proactive  communication,  meets  with  a 
formal  steering  committee  every  two  months 
and  meets  with  CEO  George  Samenuk  even 
more  frequently.  We  regret  the  errors. 


What  Do  You  Think? 


Send  your  thoughts  and  feedback  to 
letters@cio.com.  Letters  may  be  edited  for 
length  or  clarity.  For  a  link  to  the  articles 
mentioned,  go  to  www.cio.com/printlinks. 
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At  AMS,  we  know  a  lot  about  technology. 
Even  better,  we  know  a  lot  about  the 
businesses  we  work  with.  For  more  than 
30  years  we've  helped  governments,  and 
communications  and  financial  services 
firms  transform  the  promise  of  IT  into 
real  business  results.  And  we  do  it  seam¬ 
lessly.  How?  Not  by  acting  like  someone 
in  our  industry,  but  by  thinking  like 
someone  in  theirs. 
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ADVERTISEMENT 


DATA  CENTER  MARKUP  LANGUAGE: 

Setting  the  standard  for  utility  computing 


Data  Center 
Managment  Challenges 

Over  the  past  decade,  explosive  growth  in 
the  availability  and  use  of  distributed 
computing  technologies  introduced 
unprecedented  complexity  into  data 
center  environments.  A  fundamental 
shift  in  computing  architecture  occurred: 
essential  business  applications  rapidly 
migrated  from  client/server  architectures 
running  on  a  few,  large  servers  to  Web- 
based  architectures  running  thousands  of 
smaller  servers. 

The  challenges  created  by  this  important 
shift  included  a  dramatic  need  for  IT 
reinvestment,  retraining 
and  organizational 
redesign.  Unfortunately, 
the  rapid  pace  of  change 
left  IT  organizations 
struggling  to  manage  the 
diverse  skill  sets  needed 
for  a  fragmentation  of 
operations  technologies — 
including  Web  servers, 
application  servers, 
database  servers,  network 
devices,  storage  fabrics,  security  systems, 
environmental  management  tools 
and  others. 

This  has  resulted  in  a  data  center 
management  crisis.  The  lack  of 
interoperability  between  management, 
emerging  automation  and  utility 
computing  systems  prevents  even  the 
most  basic  IT  process  improvements 
from  taking  hold.  A  data  center  standard 
is  imperative  to  realizing  a  true  utility 
computing  environment. 

Introduction  to  DCML 

Data  Center  Markup  Language  (DCML) 
is  the  first  vendor-neutral,  open  language 
to  describe  data  center  environments, 
dependencies  between  data  center 
components  and  the  policies  governing 
management  and  construction  of 
those  environments.  DCML  provides 
a  structured  data  format  to  describe, 
construct,  replicate,  recover  and 
communicate  about  components  in 
data  center  environments. 


DCML,  sponsored  by  the  DCML 
Organization,  a  self-funded  non-profit 
organization  consisting  of  more  than  20 
of  the  world’s  leading  software,  service 
provider,  and  systems  vendors,  is  the  first 
open  specification  that  provides  a 
structured  model  and  encoding  to 
describe,  construct,  replicate,  and  recover 
data  center  environments  and  elements. 
Using  DCML,  companies  will  have  a 
standard  method  to  enable  data  center 
automation,  utility  computing,  and 
system  management  solutions  to 
exchange  information  about  the  data 
center  environment  that  will  make 
the  vision  of  utility  computing  a  reality. 

The  Right  Time 
for  a  Standard 

Within  the  emerging 
category  of  utility 
computing  is  a 
considerable  assortment 
of  internal  and  vendor- 
developed  tools.  Each  of 
these  utility  computing 
technologies  performs  a 
different  function  in  the 
data  center:  some  are  complete  platforms 
automating  the  full  lifecycle  of  servers 
and  software;  some  are  solely  focused  on 
infrastructure  virtualization;  some  enable 
intelligent  system  monitoring;  and  others 
are  point  tools  performing  highly  focused 
tasks  such  as  device  provisioning  or 
application  patching.  As  IT  organizations 
increasingly  conform  to  the  utility 
computing  model,  they  will  have  to 
adopt  more  than  one  solution  because  of 
gaps  in  tool  functionality.  That  is  because 
no  single  vendor  is  building  a  complete 
system,  currently,  the  vision  and 
objectives  of  utility  computing  are 
unattainable  without  multiple  vendors 
and  systems. 

Regardless  of  originating  vendor,  all 
utility  computing  systems  have  a 
common  dependence:  a  thorough 
understanding  of  the  environment  under 
management.  However,  one  tool’s 
definition  of  “environment  under 
management”  and  the  format  used  to 


capture  its  key  attributes  are  likely  to  be  | 
entirely  different  from  another  tool’s 
definition  and  format.  Todays  definition 
of  data  center  environments  are  usually 
narrowly  scoped,  and  the  format  of  the 
requisite  environmental  information  is 
always  proprietary.  As  a  result,  it  is 
practically  impossible  to  share 
knowledge  between  different  utility 
computing  systems. 

DCML  Defined 

A  DCML  file  is  both  a  recipe  and  a 
blueprint  of  one  or  more  data  center 
environments.  Much  as  a  culinary  recipe 
provides  the  list  of  ingredients  and  the 
instructions  for  successfully  combining 
them,  DCML  provides  an  inventory  of 
data  center  elements  and  the  desired 
functional  relationship  between  them, 
just  as  an  architectural  blueprint 
establishes  an  easily  understood, 
multidimensional  plan  for  constructing 
or  replicating  a  building,  a  DCML  file 
can  be  used  to  provision  or  reproduce  a 
complete  data  center  infrastructure — 
with  all  of  its  component  relationships, 
dependencies,  configurations,  operational 
policies  and  management  processes. 

Conclusion 

As  the  architectural  shift  from  client/ 
server  to  Web-based  computing 
continues,  most  CIOs  will  see  their 
environments  grow  more  complex 
rather  than  more  efficient.  A  growing 
breadth  of  disconnected,  legacy  and 
nascent  management  technologies 
will  present  CIOs  with  a  decision — 
either  kick  off  complex  data  center 
management  integration  projects,  or 
stop  investing  in  utility  computing. 

Given  today’s  economic  climate  and  the 
potentially  enormous  benefits  of  utility 
computing,  neither  option  is  tenable. 
Only  an  open  standard  can  provide  the 
interoperability,  cohesion  and 
information  exchange  needed  to  prevent 
utility  computing  from  simply  becoming 
a  resource  consumptive  pipe  dream. 
DCML  will  be  the  standard  that  hastens 
the  maturity  of  utility  computing 
from  an  interesting  trend  to  an 
archetypal  technology. 


DCML  will  provide  a 
single  format  to 
describe,  configure 
and  manage  virtually 
every  component 
and  attribute  of  a 
distributed  computing 
environment. 
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•  Lower  costs 

•  Higher  quality 
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DCML  addresses 
IT  challenges 


•  No  one  system 
will  be  able  to 
manage  everything 

•  New  and  existing 
systems  must 
work  together 

•  Nascent  technology, 
varying  approaches 

•  Lack  of  accurate, 
consolidated  information 


Join  the  DCML  Organization 

The  evolution  of  DCML  from  specification  to  standard  will  be  the  result  of  industry-wide  collaboration.  Members 
of  the  DCML  Organization  provide  diverse  perspectives,  representing  automation  and  utility  computing  vendors, 
enterprise  system  management  vendors,  technology  vendors,  and  customers  with  large,  heterogenous  IT 
environments. 

Join  leading  companies  and  organizations  from  around  the  world  in  creating  a  new  standard  vital  to  the 
evolution  of  data  center  manageability  and  utility  computing. 


Please  visit  www.dcml.org  for  more  information. 
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Digital  Document 
Security  and  IT: 
Everything  you 
need  to  know. 

Q#  What  are  the  most  significant 
•  digital  copier  security  issues? 

A#  Various  copier  print  controllers 
•  are  actually  servers  that  queue 
and  permanently  store  multiple 
document  files,  providing  administrator 
access  to  the  documents.  At  a 
minimum,  most  digital  copiers  retain 
the  last  document  processed;  some 
even  retain  multiple  documents 
totaling  hundreds  of  pages.  Others 
redirect  print  jobs  when  the  printer  is 
busy  or  jammed,  making  "denial  of 
service”  attacks  possible. 

Q#  How  does  Sharp  protect  the 
•  network  interface? 

A#  The  Sharp  Ethernet  card  allows 
•  administrators  to  restrict  access 
and  disable  unnecessary  protocols. 
With  this  network  card,  the  Sharp 
digital  copier  is  essentially  protected 
by  its  own  firewall. 

Q#  How  can  you  be  sure  that 
•  security  products  actually 
perform  as  claimed? 

A#  The  Common  Criteria  program 
•  —administered  by  the  U.S. 
National  Security  Agency  and  the 
National  Institute  of  Standards  and 
Technology — evaluates  security 
solutions.  Products  that  are  validated 
under  the  program  meet  security  levels 
consistent  with  ISO  1 5408  methodology. 

Q#  How  can  Sharp  improve  IT 
•  security? 

A#  Sharp  offers  print  privacy 
•  solutions  designed  to  restrict 
unauthorized  personnel  from  seeing 
confidential  materials.  Copier  access 
can  be  controlled  and  monitored, 
while  documents  retained  in  printer/ 
copier/scanner/fax  memory  are 
immediately  cleared  to  eliminate 
unauthorized  access. 
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How  secure  is  your  digital  information? 


Protect  your  information  with  the  Data  Security 
Kit  from  Sharp.  Financial  facts,  personnel  records, 
customer  lists:  networked  copiers/printers  process 
sensitive  information  every  day.  Unfortunately,  their 
hard  drives  can  also  be  accessed  via  the  network, 
contributing  to  $60  billion  worth  of  information 
theft  every  year.*  To  protect  this  weak  link  in  your 


corporate  security,  we've  created  our  Data  Security 
Kit.  It's  the  first  copier  and  printer  protection  to 
be  validated  by  Common  Criteria,  a  government- 
sponsored  program,  and  it's  available  only  with 
our  Digital  IMAGER™  series  of  copiers/printers. 
Sharp's  Data  Security  Kit.  Enhanced  information 
protection  at  your  fingertips,  sharpusa.com/security 
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Conventional  business. 


NEC  is  a  registered  trademark  of  NEC  Corporation.  All  other  trademarks  are  the  property  of  their  respective  owners.  ©2003  NEC  Solutions  (America).  Inc.  All  Rights  Reserved. 


Connected  business. 


Introducing  NEC's  vision  of  the  Connected  Enterprise,  it’s  just 
not  enough  to  align  and  connect  the  dots  in  your  business 
anymore.  Not  when  your  competitors  have  IT  infrastructures 
that  perform  at  a  whole  new  level.  These  infrastructures  inte¬ 
grate  business  processes  and  real-time  information  -  about 
customers,  employees,  partners  and  suppliers  -  into  clear 
pictures  that  are  accurate  and  actionable. 

To  help  companies  compete  in  a  changing  and  challenging 
business  environment,  NEC  Solutions  America  has  united  our 
world-class  products  and  services  to  bring  you  a  very  agile 
and  resourceful  solutions  provider.  Using  an  open  and  holistic 
approach,  NEC  brings  together  best-of-class  hardware, 


software  and  services,  with  vast  experience  in  mobile  enterprise 
computing,  business  intelligence,  biometric  security,  business 
service  management  and  visual  display  solutions.  The  result: 
enterprise  knowledge  that  empowers  your  company  in  new 
ways,  to  create  measurable  improvements  in  performance, 
efficiency  and  ROI. 

That’s  NEC’s  vision  of  the  Connected  Enterprise.  And  we’re 
turning  that  vision  into  real-time  reality  for  businesses  one 
enterprise  at  a  time.  To  connect  with  us,  call  888-632-7003  or 
visit  www.necsam.com/connected. 

Empowered  by  Innovation  |\JEEC 
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Face  Recognition  Hype  Is  Over 


entertainment  district.  Some  protesters  of  the  system  donned 
Groucho  Marx  masks  in  Ybor  City  to  render  it  useless. 

In  one  case,  according  to  The  St.  Petersburg  Times ,  the  police 
used  an  image  of  a  man  eating  lunch  in  Ybor  City  to  demonstrate 
the  system  on  the  local  TV  news.  A  woman  in  Oklahoma  saw  the 
picture  and  accused  the  man  of  being  her  deadbeat  husband  who 
owed  her  child  support.  The  police  approached  the  man  who 
turned  out  to  have  never  been  married. 

While  Tampa’s  experience  ran  into  public  resistance,  poor  per¬ 
formance  ended  a  second  facial  recognition  trial  at  Boston’s  Logan 
International  Airport,  where  there  were  high  hopes  for  the  tech¬ 
nology.  It  is  the  airport  from  which  half  of  the  9/11  terrorists 
departed  on  flights  that  crashed  into  the  World  Trade  Center. 
But  the  Boston  tests  recently  ended  when  the  system  failed 
to  identify  positive  matches  38  percent  of  the  time.  While 
false  positives  based  on  an  operator’s  decision  didn’t  exceed 
1  percent,  machine-generated  false  positives  exceeded  50  per¬ 
cent.  The  trial  occurred  between  January  and  April  2002. 
The  American  Civil  Liberties  Union,  which  requested  the 
results  under  the  Freedom  of  Information  Act,  publicized  the 
results  in  September  2003,  according  to  The  Boston  Globe. 
Meir  Kahtan,  a  spokesman  for  Identix,  one  of  the  compa¬ 
nies  involved  in  the  Logan  trial,  pointed  to  the  final  report  of 
the  trial  and  noted  that  the  test  met  many  of  its  objectives, 
including  accuracy  of  results.  He  also  noted  that  the  trial  was 
an  operational  one  trying  to  determine  if  face  recognition  was 
logistically  feasible  in  an  airport — not  a  technical  one  trying  to 
determine  the  software’s  accuracy.  Continued  on  Page  36 


SINCE  9/11,  few  counterterrorism  technologies  have  been  hyped 
more  than  face  recognition.  Recently,  though,  reality  interrupted  the 
hype  when  two  public  pilot  projects  of  the  technology  ended. 

The  city  of  Tampa,  Fla.,  which  first  tested  face  recognition  at  the 
January  2001  Super  Bowl  (the  technology  on  game  day  produced 
19  “hits”  with  an  FBI  database  but  no 
arrests),  in  August  dropped  support 
for  a  program  that  scanned 
faces  in  Tampa’s  Ybor  City 


The  real  problem  is  not 

tether  machine  ’  •  ih 

hut  whether  men  do. 


-American  psychologist  Burrhus  Frederic  Skinner  (1904-1990), 

in  Contingencies  of  Reinforcement  (1969) 


3  4  CIO  NOVEMBER  1,  2003 


www.cio.com 


Exclusive! 


Baylor  goes  to  the 
head  of  the  IT  class. 


Baylor  University 

Deploys  Business-Driven  Network.  ™ 

Serving  the  educational  and  recreational  needs  of  14,000  students  is  a  tall  order 
for  any  IT  department.  You  have  to  ensure  access  to  critical  classroom  resources 
as  well  as  provide  the  Internet  and  e-mail  services  expected  by  today’s 
technology-sawy  students.  And  security  cannot  be  compromised. 

That’s  why  Baylor  University  turned  to  Enterasys  and  its  unique  Secure  Networks 
solution.  Through  a  simple-to-administer  interface,  IT  managers  can  assign  very 
specific  access  privileges  that  stay  with  students  wherever  or  however  they  log 
on.  From  class  or  the  residence  hall.  Wired  or  wireless. 


Secure  Networks  Webcast 


The  network  runs  smoother.  Security  is  pervasive.  And  students  are  happy. 


Don’t  miss  this  informative  webcast 
featuring  Gartner  and  other  industry  experts  as 
we  address  the  best  practices  for  deploying 
enterprise-wide  security. 

Register  now! 

Visit  us  at  itworld.com/enterasyssecunty 


Get  the  full  story  at  enterasys.com/baylor 

- ENTERASYS 

NETWORKS™ 


Face  Recognition 

Continued  from  Page  34 

But  operations  was  where  the  air¬ 
port  officials’  report  was  most  critical. 
It  said  the  program  “requires  much 
more  participation  than  initially 
anticipated,”  and  that  because  of  the 
false  positives,  “the  operators’  work¬ 
load  is  taxing  and  strenuous,  requir¬ 
ing  constant  undivided  attention  and 
periodic  relief,  which  amounts  to  a 
staffing  minimum  of  two  persons  for 
one  workstation.”  Slowing  the  tech¬ 
nology’s  progress  are  high  R&D  costs 
and  vendors’  “aggressive  marketing 
strategies,”  the  report  added. 

Charles  Wilson,  a  scientist  at  the 
National  Institute  of  Standards  and 
Technology  who  was  part  of  a  land¬ 
mark  face  recognition  vendor  test  in 
2002,  points  to  the  Logan  test  and 
another  aborted  trial  at  Palm  Beach 
International  Airport  in  May  2002, 
and  says  those  trials  don’t  mean  the 
technology  failed.  Rather,  it’s  a  return 
to  earth  of  those  who  were  swept 
away  by  marketers  who  promised 
more  than  they  could  deliver.  The  sys¬ 
tems  aren’t  bad;  they  just  aren’t  as 
good  as  the  hype  many  wanted  to 
hear,  especially  after  9/11.  (For  more 
about  the  facial  recognition  study,  see 
www.  do .  com/printlinks . ) 

“Scientists  have  one  degree  of  opti¬ 
mism,  and  marketing  has  another,” 
says  Wilson.  Think  of  the  conditions 
where  the  systems  operate,  he  adds. 
Poor  or  inconsistent  lighting.  Cameras 
high  off  the  ground,  which  mean  steep 
angles  to  capture  facial  images.  It’s  no 
wonder  the  results  weren’t  dazzling. 

“I  look  at  those  airport  tests,  and  I 
think  the  systems  worked  as  well  as  I 
thought  they  would  in  those  condi¬ 
tions,”  says  Wilson.  “In  fact,  there 
were  airport  trials  a  year  before  the 
Logan  trial.  Guess  what?  They  turned 
out  the  same.  My  question  is,  why 
are  we  wasting  all  this  money  on 
individual  airport  trials?  I  think  peo¬ 
ple  were  told  they  were  getting  a 
panacea  to  fight  terrorism.  But  sci¬ 
ence  rarely  if  ever  delivers  panaceas.” 

-Scott  Berinato 


trendlines 


I  .  T  .  VALUE 

Where  the  Buck  Stops 

WHO’S  RESPONSIBLE  FOR  achieving  the  intended  value  of  an  IT  project?  It’s  the  origin 
and  goals  of  an  IT  project  that  determine  both  who  is  held  accountable  for  achieving  value 
and  which  factors  are  used  to  measure  value,  according  to  a  recent  CIO  survey  of  118  IT 
executives.  Here  are  three  conclusions  from  the  survey. 


1  Project  sponsors  are  accountable 
for  IT  value  in  tandem  with  CIOs. 

Shared  accountability  between  business 
and  IT  leaders  is  the  most  common  struc¬ 
ture.  The  CIO  is  always  part  of  the  equation, 
but  if  it’s  an  HR  project,  for  example,  the 
vice  president  of  HR  would  likely  be  the 
project  sponsor  and  also  be  held  account¬ 
able  for  value.  If  it’s  a  finance  project,  it 
may  be  the  CFO  who  shares  accountability. 

Thirty-four  percent  of  survey  respon¬ 
dents  said  CIOs  are  accountable  for 
ensuring  that  IT  projects  achieve  value, 
while  15  percent  said  a  business  unit 
sponsor  is  responsible.  Even  more- 
44  percent— said  it’s  a  shared  burden. 

B.  Lee  Jones,  vice  president  of  IT  and 
CIO  of  Stratex  Networks,  says  his  com¬ 
pany’s  Oracle  ERP  rollout  began  with  its 
financial  component.  “So  the  project 
sponsor  was  the  CFO,  and  the  project  lead 
was  the  corporate  controller." 

2  Customer  satisfaction 
determines  project  success. 

Happy  users  are  effective  users  (see  chart, 
below).  The  customer  is  the  primary  focus  of 


our  surveyed  CIOs.  Internal  customer 
satisfaction  topped  the  list  with  78  percent 
considering  it  one  of  their  top  three  meas¬ 
ures  for  determining  value.  External  cus¬ 
tomer  satisfaction  was  cited  by  56  percent, 
making  it  third  on  the  priority  list. 

“We  survey  our  [internal]  customers  on 
improved  service  levels,"  says  Jeff  Chas- 
ney,  executive  vice  president  and  CIO  of 
CKE  Restaurants.  "If,  indeed,  we  saved  a 
bunch  of  money  but  our  services  are 
terrible,  then  we  didn't  save  much.” 

3  Staying  under  budget  plays 
a  strong  second  fiddle. 

Staying  at  or  under  budget  was  the  second 
most  popular  determining  factor,  with 
57  percent  listing  it  as  one  of  their  top  three 
most  important  project  value  measures. 
Fifty-one  percent  of  survey  respondents 
cited  improved  productivity. 

“We  are  definitely  more  financially 
focused  than  we  were  four  or  five  years 
ago,"  says  Derek  White,  vice  president  of  IT 
for  the  SmithGroup  Cos.  “Part  of  that  is  the 
economy,  and  part  is  more  cohesive 
management.”  -Lafe  Low 


CIO  RESEARCH 


The 
Value 
Top  10 

In  a  CIO  survey,  118  IT 
executives  were  asked 
to  identify  the  top  three 
factors  they  consider 
whendeterminingthe 
value  of  IT  projects. 
Customers  and  cost- 
control  topped  the  list. 


Internal  customer  satisfaction 


Budgeted  amount  versus  actual  expenses 


78% 


External  customer  satisfaction 


Employee  productivity 


Competitive  advantage 


System  uptime 


Organization  productivity 


IT  department  productivity 


Service-level  agreements 


57% 
56% 
51% 
48% 

48% 

44% 

41% 

37% 


Revenue 


31% 
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SAS,  the  leader  in  business  intelligence  software,  challenges... 


Comply  with  Sarbanes-Oxley  now. 

Or  prepare  for  the  consequences  over  time. 


ENTERPRISE  intelligence 

SUPPLIER  INTELLIGENCE 

ORGANIZATIONAL  intelligence 

CUSTOMER  intelligence 

INTELLIGENCE  architecture 


With  Sarbanes-Oxley  compliance  deadlines  less  than  a  year  away,  there  is  an  urgency  to  deliver 
financial  and  operational  transparency  -  one  clean,  consolidated  and  truthful  version  of  data  for  all 
your  disclosure  controls  and  procedures.  SAS®  Corporate  Compliance  software  provides  auditable, 
searchable  process  and  document  control  solutions.  So  you  can  prepare  now,  while  creating  a  system 
that  won’t  be  outdated  when  the  next  new  legislation  is  enacted.  Our  intuitive  interfaces  are  designed 
for  users  of  any  skill  level  -  with  a  central  point  of  control  to  manage  across  all  environments  -  and 
an  open,  adaptable  architecture.  To  find  out  more  about  how  to  confidently  comply  with 
Sarbanes-Oxley,  including  Section  404,  call  us  toll  free  at  1  866  270  5729  or  visit  our  Web  site. 


www.sas.com/sox 


The  Power  to  Know, 


SAS  and  all  other  SAS  Institute  Inc.  product  or  service  names  are  registered  trademarks  or  trademarks  of  SAS  Institute  Inc.  in  the  USA  and  other  countries.  ®  indicates  USA  registration. 

Copyright  ©  2003  SAS  Institute  Inc.,  Cary,  NC,  USA.  All  rights  reserved.  256048US.1003 
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Enterprise  Systems  Show  Results 


THE  INFAMOUS  REPUTATION  of  enterprise 
systems  (ERP,  CRM)  is  lots  of  money  for  lit¬ 
tle  value.  Yet  more  than  three-quarters  of 
companies  implementing  enterprise  systems 
say  they’ve  achieved  at  least  half  of  the  value 
they  initially  expected  from  the  technology, 
according  to  a  study  by  Accenture.  The  com¬ 
panies  that  extracted  value  had  two  things 
going  for  them:  time  and  follow-through. 

Within  a  year  of  implementation,  most 
companies  failed  to  realize  many  hoped-for 


benefits,  such  as  reduced  headcount  and  more 
accurate  business  planning.  But  after  two 
years,  the  majority  saw  payback  of  every  type 
of  benefit  except  increased  revenue. 

At  companies  where  implementation  was 
the  end  of  their  enterprise  systems  effort, 
fewer  than  half  the  expected  benefits  were 
realized.  But  among  companies  that  contin¬ 
ued  to  integrate  and  fine-tune  processes, 
42  percent  achieved  the  majority  of  the  ben¬ 
efits  they  had  targeted. 


Who’s  Got  the  Value? 

Percentage  of  respondents  achieving  different  degrees  of  enterprise  systems  benefits 


Better  Things  Come  to  Those  Who  Wait 

Percentage  of  respondents  achieving  enterprise  systems  benefits  over  time 


SOURCE:  A  report  by  Tom  Davenport,  Jeanne  Hams  and  Susan  Cantrell  on  a  March  2003  study  by  Accenture  Institute  for  Strategic 
Change  of  163  businesses  in  North  America,  Europe  and  Australia 


Best  Practices 

Remember:  Results  take  time.  It  takes 
a  while  for  companies  that  put  in  their 
enterprise  systems  (ES)  one  module 
or  business  unit  at  a  time  to  reap  any 
benefits.  Getting  to  critical  mass, 
meaning  a  significant  portion  of 
system  modules  are  up  and  running 
sooner,  is  obviously  ideal,  but  "big 
bang"  implementations  are  more 
likely  to  lead  to  performance  problems 
and  project  failures. 

Prioritize  benefits  and  create  a  plan. 

Benefits  of  ES  don’t  just  happen;  they 
have  to  be  planned  and  managed. 
Formalize  ways  to  measure  and  track 
benefits  from  ES,  and  assign  this  re- 
sponsibility  to  an  individual.  Accenture 
consultant  Tom  Davenport  says,  “The  31 
percent  of  organizations  that  actively 
track  metrics  achieved  them  signifi¬ 
cantly  earl  ier  than  those  that  d  id  not. 
Likewise,  the  65  percent  of  organizations 
that  hold  a  dedicated  individual  respon¬ 
sible  for  realizing  enterprise  systems 
benefits  also  achieved  benefits  earlier 
than  those  that  did  not  hold  someone 
responsible  for  benefit  realization." 

Manage  enterprise  systems  as  an 
ongoing  program.  “We  now  have 
evidence  that  getting  value  from 
enterprise  systems  is  not  a  project,  but 
a  way  of  life,”  says  Davenport.  If  the  ES 
project  ends  when  the  software  goes 
live,  "it’s  unlikely  that  substantial  value 
will  be  achieved."  Companies  will  gain 
payback  by  integrating  ES  with  legacy 
and  best-of-breed  apps,  adapting 
business  processes  to  fit  with  ES,  and 
converting  ES  data  into  knowledge  to 
support  analysis  and  decision  making. 
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QWEST  HELPS  WORLD  VISION  SAVE  MORE  THAN  MONEY. 

Technology  can  definitely  make  a  difference.  As  in  the  Virtual  Private  Network  that  Alan  and  his  team  deployed  for  World  Vision, 
one  of  the  world  s  largest  humanitarian  organizations.  It  gives  them  real-time  video  connections  between  offices,  so  they  can 
more  efficiently  assess  situations  and  deploy  aid.  It  also  provides  superior  voice  and  data  communications  to  help  them 
coordinate  humanitarian  efforts.  All  while  cutting  costs.  And  at  World  Vision,  all  savings  go  right  to  the  bottom  line:  food, 
medicine  and  help  for  more  than  85  million  people  in  nearly  100  countries  on  five  continents.  At  Qwest,®  we’re  proud  of  our 
Spirit  of  Service.™  And  prouder  of  the  results. 


Qwest 


Spirit  of  Service 


m  X  M  M  JfcTT 


1  'V'',  ■ 

mm® 


VOICE  SOLUTIONS 


For  networking  solutions  that  deliver  on  your  kind  of  ROI, 
visit  us  at  qwest.com/bizspirit  or  call  us  at  1  800-506-0663 


DATA  SOLUTIONS 
INTERNET  SOLUTIONS 
MANAGED  SOLUTIONS 


Service  not  available  in  all  areas.  Contact  Qwest  for  details.  ©2003  Qwest  Communications  International  Inc. 
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GOVERNMENT  REGULATIONS 

Safety  Rules  Drive 
Bus  Maker’s  IT  Project 


FEDERAL  RULES  now  require  makers  of  commercial  and 
private  vehicles  and  the  parts  they  make  to  submit  massive 
reports— and  by  massive  we  mean  hundreds  of  pages, 
according  to  one  manufacturer— to  the  National  Highway 
Traffic  Safety  Administration  (NHTSA)  on  defects,  cus¬ 
tomer  complaints  and  warranty  claims. 

The  Tread  (Transportation  Recall  Enhancement, 
Accountability  and  Documentation)  Act  was  passed  in 
2000  following  congressional  hearings  into  the  more  than 
100  deaths  associated  with  defective  Firestone  tires  on 
SUVs. 

The  first  reports  under  the  Tread  legislation  are  due 
next  month.  Failure  to  comply  could  result  in  a  $5,000 
per  day  late  fee.  The  NHTSA  is  very  particular  about  how 
it  wants  the  information  submitted— it  has  to  be  format¬ 
ted  in  a  certain  way  and  organized  in  distinct  categories. 
And  it  has  to  be  submitted  quarterly.  It’s  a  big  job. 

To  do  it,  Gillig,  a  city  bus  builder  in  Hayward,  Calif., 
with  annual  sales  around  $300  million,  turned 
to  Syncata  for  software  that  culls  information  from 
Gillig’s  databases,  formats  and  maps  that  information 
in  accordance  with  NHTSA’s  specifications,  and 
then  transmits  the  required  Tread  documents  to 
Washington,  D.C. 

Bob  Birdwell,  Gillig’s  executive  director  of  quality 
and  service,  says  numerous  companies  pitched  him 
on  software  similar  to  Syncata’s,  but  Syncata  held 
a  seminar  that  helped  him  to  better  understand 
Tread.  The  installation  went  smoothly,  though  there 
were  a  few  challenges.  For  example:  It  took  more 
time  and  effort  than  expected  to  gather  all  the 
required  information  and  then  get  all  those  docu¬ 
ments  into  a  Lotus  Notes  database  so  that  Syncata 
could  access  the  information  it  needed  to  format 
for  the  NHTSA. 

Syncata  uses  Windows  2000  and  SQL  Server 
database  to  extract  data  from  whatever  data 
format  the  client  is  using.  Gillig's  users  click  on  a 
desktop  icon  to  access  the  reporting  system. 
Pricing  for  the  system  starts  at  $25,000  and  can 
cost  nearly  $100,000  for  larger  companies. 

Thilo  Koslowski,  lead  automotive  analyst  at 
Gartner,  says  there  are  few  companies  offering 
software  to  assist  with  Tread  compliance.  He 
expects  IT  players  like  Microsoft  and  EDS  to 
develop  similar  software.  But,  meanwhile,  those 
reports  are  still  due.  -Julie  Hanson 
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VENDOR  MANAGEMENT 

Bundle  with  Care 

YOU  GET  WHAT  YOU  PAY  FOR.  And  sometimes,  when  there’s 
extra  goods  and  services  bundled  into  a  contract,  you  get 
more  than  you  bargained  for — and  a  bigger  bill  to  boot. 

An  audit  by  NASA’s  inspector  general’s  office  shows  that 
the  space  agency  overpaid  by  an  average  of  24  percent  for 
computer  peripherals,  accessories  and  supplies  purchased 
through  a  1998  desktop  services  deal  with  a  group  of  seven 
vendors.  Vendors  involved  in  the  $1.3  billion  arrangement 
bundled  products  with  unnecessary  hardware,  software  or 
services,  jacking  up  the  prices.  One  supplier  bundled  a  Palm 
m505  with  several  communications  and  Web-browsing  pro¬ 
grams  for  a  total  price  of  $1,128.93,  while  a  basic  Palm 
m505  would  have  been  less  than  $500. 

Since  the  audit  came  to  light  in  August,  NASA  officials 
say  that  the  agency  has  recovered  its  overpayment,  has 
agreed  to  scrutinize  the  use  of  product  catalogs  and  will 
seek  volume  discounts. 

The  blunder  gives  CIOs  a  chance  to  review  some  key 
concepts  when  looking  to  sign  a  deal  that  bundles  goods 
and  services,  a  common  outsourcing  practice.  Bundling  can 
be  good  business.  But  there  are  potential  problems:  A  lack 
of  choice  means  the  potential  for  hidden  costs.  (See  “Getting 
the  Best  from  Your  Vendors,”  Page  84.)  Some  tips: 

►  Decide  whether  the  product  you’re  buying  is  a  commodity.  If 

it  is,  a  lack  of  choice  in  product  selection  is  not  important,  says 
Michael  Murphy,  a  partner  with  law  firm  Shaw  Pittman.  If  it’s 
not,  CIOs  should  negotiate  rights  to  OK  outsourcers’  product 
choices. 

►  Know  that  bundling  can  be  forever.  If  you  agree  to  the 
bundling  of  certain  service  levels  into  the  price  of  a  product, 
you  must  buy  that  service  every  time  you  buy  the  product— 
whether  you  need  it  or  not.  In  such  cases,  CIOs  can  negotiate 
“a  menu  of  service-level  options  to  give  internal  customers 
some  choice,”  Murphy  advises. 

►  Make  fair  product  prices  part  of  the  contract.  Build  compet¬ 
itive  bid  provisions  into  the  contract  so  that  vendors  selling 
you  commodity  products  are  getting  good  deals  from  their 
suppliers. 

►  Renegotiate  if  necessary.  If  a  contract  is  not  working  out 
well,  use  the  situation  asan  opportunity  to  reexamine  the 
entire  outsourcing  relationship— not  just  bundling.  William 
Bierce,  a  principal  at  law  firm  Bierce  &  Kenerson,  says,  “A 
properly  crafted  agreement  can  provide  both  flexibility  and 
control  for  the  customer  without  jeopardizing  the  service 
provider’s  ability  to  deliver  agreed  service  levels.” 

-Stephanie  Overby 


PHOTO-ILLUSTRATION  BY  JOHN  WEBER 


Oracle  Makes  Linux 

Unbreakable 


Everyone  knows  Linux  costs  less 
Now  it's  faster  and  more  reliable  too 


oracle.com/linuxfaster 
or  call  1.800.633.0546 


Copyright  ©  2003,  Oracle  Corporation.  All  rights  reserved.  Oracle  is  a  registered  trademark  of  Oracle  Corporation  and/or  its  affiliates.  Other  names  may  be  trademarks  of  their  respective  owners. 


trendlines 


On  the  Move 


By  Meridith  Levinson 


After  FBI,  John  Chooses 
Mentor  Role  at  Consultancy 


DARWIN  JOHN  HASN’T  thought  about  his 
career  since  he  left  Scott  Paper  in  1990. 

At  that  time,  John  felt  he  had  reached 
the  apex  of  his  professional 
life,  serving  as  vice  president 
of  planning,  development  and 
information  at  a  major  cor¬ 
poration.  The  experience 
( 1 1  years  at  Scott  Paper  and 
six-plus  years  as  an  IT  execu¬ 
tive  at  General  Mills  before 
that)  and  rewards  that  went 
with  those  roles  freed  him  to 
pursue  what  he  calls  his  per¬ 
sonal  mission  in  subsequent 
jobs:  to  serve  and  teach 
others  what  he’s  learned,  and  to  continue 
his  own  professional  education. 

That’s  what  John  did  when  he  became 
CIO  of  the  Mormon  Church  in  1990.  He 
did  it  again  last  year  when  he  served  as 
CIO  of  the  FBI  for  just  10  months. 

Now  John,  65,  has  taken  his  next  step. 
One  week  a  month,  John  imparts  his  40- 
plus  years  of  professional  experience  as  a 
strategic  adviser  for  Blackwell  Consulting 
Services,  a  management  and  IT  consul¬ 
tancy.  He’s  a  sounding  board  for  founder 
and  CEO  Robert  D.  Blackwell  Sr.,  as  the 
company  seeks  growth  and  its  next  gener¬ 


ation  of  leaders  among  240  consultants. 
(John  also  still  works  one  week  a  month 
for  the  FBI  as  a  consultant.) 

When  word  spread  that 
John  was  leaving  the  FBI  CIO 
job,  Blackwell  paid  John  an 
unexpected  visit  to  his  office 
in  D.C.  to  try  to  get  him  to 
join  his  company.  The  two 
men  had  developed  a  profes¬ 
sional  relationship  three  years 
ago,  when  Blackwell  spoke  at 
a  Society  for  Information 
Management  leadership  sem¬ 
inar  that  John  facilitated. 

John  had  many  options 
after  the  FBI.  He  could  have  joined  a  big 
consultancy,  a  corporate  board  or  a  small 
software  company.  In  a  recent  interview, 
John  explained  why  he  chose  Blackwell. 

Alignment  with  his  personal  mission.  John 
viewed  the  position  with  Blackwell  as  fit¬ 
ting  his  philosophy  of  making  job  changes 
that  mesh  with  life  goals.  “Aligning  with 
organizations  where  there’s  a  match 
between  who  you  are  and  what  you  rep¬ 
resent  positions  you  for  the  highest  proba¬ 
bility  for  success,”  he  says. 

A  satisfying  role  to  play.  When  John  first 
visited  Blackwell’s  Chicago  headquarters 


'TWAS  A  BUSY  SUMMER  at  e-commerce  players.  Christopher  Hjelm,  former  senior 
vice  president  of  technology  at  eBay  and  a  FedEx  alumnus,  joined  Orbitz  as  its  CTO  in 
July.  Hjelm  succeeds  Alex  Zoghlin.  Lars  Rabbe,  the  CIO  at  Yahoo  since  July,  manages 
the  portal’s  IT  staff,  enterprise  applications  and  networks;  he  reports  to  CTO  Farzad 
Nazem.  Eric  Meyer  left  Netflix,  the  online  DVD  movie  rental  service  he  cofounded,  to  be 
CIO  of  Internet  bubble  survivor  LowerMyBills.com.  In  August,  Dean  L.  Denhart,  former 
executive  vice  president  and  CIO  of  online  real  estate  marketing  company  Homestore, 
became  CIO  at  online  dating  company  MatchNet. 


CIOs  Who’ve  Answered  the 
Public  Service  Call 


Teresa  Pudi  joined  nonprofit  Habitat 
for  Humanity  International  in  2001  as 
vice  president  of  information  services 
after  20  years  in  retail,  manufacturing 
and  consulting  industries. 

Paul  Strassmann,  former  CIO  at 
Xerox  and  former  director  of  defense 
information  at  the  Department  of 
Defense,  served  as  acting  CIO  for 
NASA  from  July  2002  to  March  2003. 

Bill  Friel,  CIO  of  Prudential  Financial, 
began  the  New  Jersey  chapter  of  Tech 
Corps,  a  national  nonprofit  organiza¬ 
tion  (founded  by  CXO  Media  Publisher 
Gary  Beach)  to  help  elementary  and 
secondary  schools  use  technology. 


last  June,  he  met  bright,  capable  employees 
with  whom  he  thought  he’d  like  to  work. 
Enabling  growth  “is  a  very  fulfilling  expe¬ 
rience  for  me,”  says  John. 

A  good  fit  on  corporate  values.  John  says 
Blackwell  respects  its  employees  and  its 
customers,  believes  in  quality  in  the  services 
it  delivers,  and  is  committed  to  staying  cur¬ 
rent  with  leading-edge  technologies  and 
business  practices. 

Joining  Blackwell  “was  an  intuitive  con¬ 
clusion,”  John  says.  “It  just  felt  right  in 
terms  of  the  people,  in  terms  of  what  the 
organization  stood  for,  and  in  terms  of  me 
being  able  to  make  a  difference.” 

Blackwell,  in  a  letter  to  clients,  cited 
John’s  experience.  “Darwin  has  lived  and 
experienced  the  role  of  CIO,  so  he  knows 
the  pain,  the  anticipation,  the  worries  and 
the  pressure  associated  with  the  title.” 

John’s  own  view  emphasizes  a  broader 
perspective.  “Life  is  not  a  career.  Life  is  a 
mission.  You  need  to  be  clear  on  what  your 
mission  is.  Align  every  decision  against 
your  personal  mission.  If  you  get  real  clear 
on  your  personal  mission,  you  can  make  a 
difference.” 
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Internet  Security  Systems  today.  800-776-2362.  www.iss.net/takecontrol. 


Q 

Internet 

Security 

Systems" 


©  2003  Internet  Security  Systems,  Inc.  All  rights  reserved  worldwide, 


trendlines 


SUPPLY  CHAIN  MANAGEMENT 


Talking  Turkey  with  Perdue’s  CIO 


THOUGH  YOU’VE  GOT  only  one 
turkey  to  handle  at  Thanksgiv¬ 
ing,  this  year,  the  folks  at  Per¬ 
due  Farms  will  manage  to 
move  roughly  1  million  tur¬ 
keys — each  within  24 
hours  of  processing — to 
reach  holiday  tables 
across  the  nation. 

The  task  isn’t  as 
tricky  as  it  was 
before  the  food  and 
agricultural  products 
company  invested 
$20  million  in  sup¬ 
ply  chain  manage¬ 
ment  technology  five 
years  ago.  Using 
Manugistics  forecast¬ 
ing  software  and  supply 
chain  planning  tools,  Per¬ 
due  has  become  more 
adept  at  delivering  the  right 
number  of  turkeys  to  the  right 
customers  at  the  right  time,  says  CIO 

Don  Taylor.  “As  we  get  to  November, 
we  have  live  information  at  our  finger¬ 
tips,”  he  says. 

Before  investing  in  supply  chain  man¬ 
agement  and  forecasting  software,  Per¬ 
due’s  managers  went  by  the  “gut  feel”  of 
its  suppliers  and  customers,  as  well  as  the 
seasonal  history  of  past  consumption.  It 
worked  well  enough;  the  company 
Arthur  W.  Perdue  founded  in  1920  has 
grown  to  reach  annual  sales  of  $2.7  bil¬ 
lion.  With  the  forecasting  and  supply 
chain  systems,  Taylor  says  the  privately 
held  company  monitors  its  products  year- 
round,  checking  in  more  frequently  as 
Thanksgiving  approaches.  While  the  third 
week  of  November  is  Perdue’s  busiest 
time  of  year,  the  company’s  output  does¬ 
n’t  change  radically.  The  big  difference  is 
the  form  the  turkeys  take.  Most  of  the 
year,  it’s  more  food  parts  and  deli  meats, 
while  this  time  of  year  it’s  whole  birds. 

Getting  turkeys  from  farm  to  table  is  a 
race  against  time,  so  Perdue  has  turned  to 
technology  to  make  sure  its  products 


arrive  fresh.  Each  of  its  delivery  trucks  is 
equipped  with  a  global  positioning  sys¬ 
tem  that  allows  dispatchers  to  keep  tabs 
on  the  turkeys  en  route  from  each  of  the 
company’s  four  distribution  centers  to 
their  destinations.  If  a  truck  breaks 
down,  a  replacement  is  sent  to  rescue  the 
palettes  of  poultry.  “We  know  where  our 
trucks  are  exactly  at  all  times,”  says  Dan 
DiGrazio,  Perdue’s  director  of  logistics. 

Perdue  uses  everything  but  smoke  sig¬ 
nals  to  communicate  with  customers, 
staying  in  touch  via  telephone,  e-mail  and 
video  conferencing.  Some  stores  have  ven¬ 
dor-management  inventory  control  sys¬ 
tems,  which  allow  Perdue  to  track  sales  of 
its  products  in  real-time. 

“We’re  always  looking  at  new  tech¬ 
nologies  as  they  come  along  to  see  what 
makes  sense  for  us,”  Taylor  says.  And 
come  Nov.  27,  Taylor  will  probably  give 
thanks  to  his  supply  chain  for  making  his 
job  a  little  bit  easier.  And  getting  the 
drumsticks  to  his  table. 

-Sharron  Kahn  Luttrell 


Drumstick  Details 

Perdue  produces  more  than 
48  million  pounds  of  chicken 
products  and  nearly  4  million 
pounds  of  turkey  products 
each  week. 

One  million  turkeys  will  be 
shipped  nationwide  from  four 
Perdue  distribution  centers 
in  time  for  Thanksgiving. 

Turkeys  arrive  at  supermarkets  and  other 
destinations  within  24  hours  of  slaughter 
and  processing. 

Perdue  trucks  are  connected  via  satellite 

to  dispatch  and  distribution  centers. 

All  chickens  and  turkeys  are  produced 
under  contract  by  almost  3,000  inde¬ 
pendent  farm-family  partners. 

SOURCE:  Perdue  Farms 
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Punch  Card  Creator 

NOV.  17,  1929  Dr.  Herman  Hollerith,  the 

creator  of  the  electric  tabulating  machine  and 
founder  of  a  company  that  would  later  become 
I BM,  dies  of  a  heart  attack  at  the  age  of  69. 

Hollerith’s  invention  was  the  first  that  used 
punched  holes  in  tape— then  cards— to  sort 
and  re-sort  data.  The  government  used 
Hollerith’s  invention  to  tabulate  the  1890 
census.  The  project  took  three  years,  instead 
of  the  seven  years  it  took  in  the  1880  count. 
Punch-card  technology  ended  up  as  a  staple 
of  information  processing  systems  through 
the  late  1970s. 

Hollerith  was  a  science  star  who  also 
displayed  great  business  acumen.  Born  in 
Buffalo,  N.Y.,  he  went  to  City  College  of  New 
York  at  age  15  and  graduated  from  the 


w 

Hollerith 


Columbia  School  of  Mines 
at  19.  His  work  for  the  U.S. 
Census  after  college 
introduced  him  to  the 
tabulating  challenge.  In 
1882,  as  a  mechanical 
engineering  instructor  at 
M  IT,  he  started  to  develop 
his  own  counting  machine 
using  punched  paper  tape. 
The  position  of  a  punched  hole  on  the  tape 
represented  a  data  point;  a  tape-reading 
machine  gave  the  results.  His  first  patent 
came  in  1884.  The  success  of  the  1890  census 
would  eventually  lead  to  his  recording 
tabulating  machine  sales  in  Europe  and 
Canada.  In  1897,  Hollerith  founded  the 
Tabulating  Machine  Co.,  which  after  some 
mergers  became  International  Business 
Machines  Corp.  Or,  IBM  to  you  and  me. 
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Finally,  a  company  that  talks  big  and 
works  bigger.  A  company  that  talks  ROI 
and  actually  delivers.  A  company  that 
provides  real  business  value  you  can 
measure.  A  network  solutions  and 
services  provider  called  NextiraOne. 

At  NextiraOne,  we  bring  clarity  to  your 
complex  communications  networks. 
Planning,  designing,  implementing, 
supporting  and  managing.  For  voice, 
data  and  converged  infrastructures. 

In  the  United  States  or  around  the 
world.  You  name  it,  we  do  it  -  with 
world-class  results. 


It  ain’t  braggin’ 
if  you  can  do  it. 


www.NextiraOne.com  (888)  888-1055 
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I  AM  A  SNARLING 
PACK  OF 
DOBERMANS. 

I  AM  INTEGRATED  SECURITY.  I  HAVE  THE  POWER  TO  PROTECT 
YOUR  NETWORK  FROM  THE  INSIDE,  THE  OUTSIDE  AND  FROM 
EVERYWHERE  IN  BETWEEN.  I  ALWAYS  KNOW  WHO  IS  ON  THE 
GUEST  LIST  AND  HAVE  THE  POWER  TO  DENY  THOSE  WHO  AREN'T 
ON  IT.  I  SNIFF  OUTTHREATS  SO  YOU  CAN  STAY  PRODUCTIVE. 

!  I  AM  MORE  THAN  A  CISCO  3700  ROUTER. 


THIS  IS  THE  POWER  OF  THE  NETWORK.  nOW. 
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Peer  to  Peer 

Field-Tested  Ideas  from  CIOs  for  CIOs 


Talking  at  the 
Top  of  the  World 


The  search  for  the  right  kind  of  mobile  IT  equipment  to 
use  in  the  world’s  most  remote  regions  took  the  CIO  of  the 
World  Wildlife  Fund  to  a  mountaintop  in  the  Andes 


BY  GREGORY  SMITH 


IN  MAY  OF  2001,  a  team  of  experienced  field  biologists  including  staff 
from  the  World  Wildlife  Fund  (WWF)  conducted  an  inventory 
of  wildlife  in  the  Dzanga-Sangha  Dense  Forest  Special  Reserve 
in  the  southwestern  Central  African  Republic  (CAR).  Working 
deep  inside  the  jungle,  often  at  night,  the  researchers  analyzed 
the  threats  and  opportunities  facing  one  of  the  world’s  few 
remaining  undisturbed  lowland  tropical  forests,  which  spans 
five  countries  in  the  heart  of  Africa.  The  reserve  is  home  to 
one  of  the  continent’s  largest  intact  forest  elephant  populations, 
western  lowland  gorillas,  16  of  the  country’s  20  primate  species, 
hundreds  of  birds  species  and  thousands  of  plant  species. 

WWF  Senior  Communications  Officer  Lee  Poston  joined 
the  expedition  to  document  the  team’s  findings  for  publica¬ 
tion  on  WWF’s  website  (www.worldwildlife.org).  Poston  trans¬ 
mitted  his  daily  notes  via  a  rented  satellite  terminal  and  phone. 
The  rented  satellite  gear  was  capable  of  transmitting  at 
9,600bps  and  was  recharged  with  a  13.8-watt  solar  charger. 
Setting  up  the  satellite  terminal  and  getting  a  strong  signal  to 
the  satellite  above  was  not  a  problem.  Small  text  messages  and 
Word  attachments  transmitted  successfully  within  seconds. 


However,  the  equipment  was  inadequate  for  sending  photo¬ 
graphs  that  could  graphically  communicate  what  was  being 
accomplished  by  the  team  on  the  ground.  Lee  spent  up  to  25 
minutes  trying  to  send  multiple  photographs  and  was  success¬ 
ful  on  only  two  occasions. 

Just  before  the  team  was  scheduled  to  leave  CAR,  a  violent 
coup  broke  out  in  the  capital  city,  Bangui,  about  300  miles 
away.  Rebel  and  ex-military  groups  attacked  military  posts 
and  the  presidential  palace  with  AK-47  machine  guns,  mortars 
and  grenades.  The  borders  and  airport  were  closed,  and  dozens 
of  people  died.  Many  victims  were  left  in  the  streets  because 
residents  were  too  afraid  to  pick  up  their  dead  relatives.  The 
WWF  team  used  the  satellite  phone  to  assure  colleagues  that 
they  were  safe  and  devise  an  elaborate  plan  to  escape  the  trou¬ 
bled  country.  They  left  at  3  a. m.  in  an  SUV,  crossed  the  river 
via  a  boat  into  Cameroon  and  finally  took  a  small  plane  to  a 
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See  enterprise  reporting  for  what  it  really  is. 

A  strategic  advantage. 

Introducing  Cognos  ReportNet  ™ 

The  only  solution  comprehensive  enough 
to  standardize  all  your  enterprise  reporting. 

From  customized  queries  to  production.  On  a  single  product. 

Built  on  a  zero-footprint,  open  architecture  created  specifically  for  the  Web. 
Designed  to  meet  the  needs  of  a  global  enterprise. 

It’s  a  key  part  of  a  comprehensive  Business  Intelligence  solution. 

Take  the  first  step  toward  managing  performance. 

Read  about  Breakthrough  Reporting  at: 
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safe  haven  in  Cameroon’s  capital,  Yaounde. 

Shortly  after  I  joined  WWF,  Lee  and  I  met  to  discuss  the  trip 
and  ongoing  satellite  technology  challenges  for  the  World 
Wildlife  Fund.  The  organization’s  needs  were  simple — the  staff 
needed  a  lightweight  mobile  satellite  terminal  capable  of  trans¬ 
mitting  high-speed  data  for  access  to  WWF  systems  at  U.S. 
headquarters  in  Washington,  D.C.,  along  with  voice  capabil¬ 
ity  and  satellite  coverage  for  more  than  95  percent  of  the  globe. 
I  soon  learned  that  WWF  leased  all  of  its  satellite  phones  and 
equipment,  but  the  leased  equipment  had  limited  data  capa¬ 
bilities  for  sending  pictures,  and  accessing  WWF  systems  was 
very  expensive.  After  researching  other  rental  options,  I  found 


As  I  unpacked  the  satellite  gear,  I  noticed  a  mother 
carrying  her  infant  in  a  shoulder  sling.  It  was 
humbling  to  see  her  moving  so  easily  as  I  struggled 
to  get  accustomed  to  the  altitude. 


that  rental  prices  were  moderate,  but  usage  fees  were  exorbi¬ 
tant  and  usually  had  high  minimum-usage  time  commitments 
associated  with  each  short-term  lease  contract.  I  then 
researched  the  equipment  available  for  sale  by  vendors  and 
discovered  that  mobile  satellite  technology  had  evolved  during 
the  past  several  years  to  produce  effective,  lightweight  portable 
data  and  voice  devices  capable  of  handling  the  needs  of  the 
ultimate  remote  traveler. 

Next  Stop,  the  Andes 

Once  I  selected  a  product  and  network  vendor,  it  was  time  to 
test-drive  the  unit.  I  boarded  a  plane  bound  for  Lima,  Peru, 
with  my  compact  loaner,  a  six-pound  Nera  WorldCommuni- 
cator  GAN/M4  satellite  terminal  with  a  fold-out  antenna  that 
was  capable  of  64kbps  digital  connections.  In  Lima,  I  spent 
some  time  at  our  field  office  testing  the  device  via  the  Inmarsat 
satellite  over  Brazil.  I  set  up  the  antenna  at  the  WWF  office 
and  conducted  several  tests,  including  tracing  routes  to  vari¬ 
ous  U.S.  computers  to  determine  connection  stability.  Addi¬ 
tional  tests  included  access  to  public  websites  and  access  to 
WWF  applications  and  data  via  secure  Citrix  sessions.  The 
terminal  and  service  worked  perfectly  during  the  preliminary 
tests,  and  the  Citrix  session  running  on  my  laptop  never 
dropped  the  connection  through  the  satellite  uplink. 

I  drove  from  Lima  to  a  pristine  mountain  pass  in  the  Andes 
called  Ticlio.  The  son  of  the  WWF  finance  and  administration 


manager  from  the  Lima  office,  a  native  Peruvian,  escorted  me 
on  the  three-hour  trip,  just  in  case  I  ran  into  trouble.  The  air  at 
16,000  feet  was  crisp.  Light  winds  moved  the  cloud  cover  both 
below  and  above  me.  Nearby,  children  played  soccer.  As  I 
unpacked  the  satellite  gear,  I  noticed  a  Peruvian  mother  carry¬ 
ing  her  infant  in  a  shoulder  sling.  It  was  humbling  to  see  her 
moving  so  easily  as  I  struggled  to  get  accustomed  to  the  altitude. 
I  felt  lightheaded  and  nauseated.  I  even  had  difficulty  reading 
the  signal  strength  meter  on  the  terminal  as  I  attempted  to  find 
the  right  location  for  the  satellite.  I  finally  found  the  satellite  and 
locked  in  my  connection  from  the  Nera  terminal.  Within  min¬ 
utes,  I  was  accessing  our  corporate  network  in  Washington, 

D.C.,  and  sending  e-mails  with  sizable 
data  file  attachments  from  the  top  of  the 
Andes.  The  terminal  proved  reliable  even 
with  a  700ms  per  hop  delay  via  the  satel¬ 
lite  connection.  After  the  45-minute  test, 
I  was  satisfied  that  the  equipment  and 
service  would  be  reliable  and  add  value 
to  the  WWF  mission.  I  packed  up  the 
gear,  and  we  headed  back  down  to  Lima, 
passing  a  number  of  poor  mountain  vil¬ 
lages  and  tapped-out  mining  communi¬ 
ties  along  the  way. 

Several  WWF  staff  members  have  since  taken  the  equipment 
I  purchased  from  Telenor  into  the  field  to  support  our  envi¬ 
ronmental  work.  Recent  trips  to  remote  locations  have  shown 
that  our  team  is  able  to  utilize  the  terminal  and  GAN/M4  net¬ 
work  for  both  reliable  voice  and  data  transmissions.  WWF 
staff  members  have  been  successful  in  establishing  reliable 
64kbps  digital  data  connections  and  variable  bandwidth  voice 
connections  from  the  field.  WWF  has  also  recently  added 
satellite-based  handheld  phones  to  its  satellite  solutions  for  staff 
who  simply  need  voice  capabilities  in  a  small  device.  The  staff 
has  successfully  uploaded  files  to  our  Web  team  from  remote 
locations  like  Nepal’s  Royal  Chitwan  National  Park  and  the 
Terai  Arc,  which  includes  12  million  remote  acres  spanning 
Nepal  and  parts  of  India.  Some  of  the  world’s  most  endan¬ 
gered  wild  animals,  including  tigers,  rhinos  and  elephants,  roam 
the  Terai  Arc.  WWF  and  its  partners  are  attempting  to  restore 
and  reconnect  1 1  national  parks  in  Nepal  and  India  to  create 
one  continuous  landscape  and  corridor  that  will  allow  such 
wildlife  to  flourish.  Our  team  of  environmental  professionals 
are  now  adequately  equipped  to  meet  the  diverse  needs  of  voice 
and  data  communications  from  nearly  any  loca¬ 
tion  on  the  planet.  QE1 

Gregory  Smith  is  vice  president  and  CIO  of  the  World 
Wildlife  Fund  in  Washington,  D.C.  You  can  e-mail  him 
at  greg.smith@wwfus.org. 
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Why  David 
"you  want  to  put 
what  on  my 
network?"  Prema 

loves  his 
Savin  4045: 


“I  don’t  care  what  they’re  calling  it  these  days.  To  me,  it’s  a  copier.  It’ll  always  be  a  copier. 

And  copiers  and  networks  don’t  mix.  End  of  story.  At  least  that’s  what  I  thought. 

Then  my  Savin  guy  set  me  straight.  He  brought  in  this  digital  imaging  system.  It  plays  well  with  others. 
It  takes  on  a  lot  of  important  jobs.  And  my  network  doesn’t  mind  having  it  around.” 

See  what  Savin  can  do  for  you  at  www.savin.com. 


©2003  Savin  Corporation 
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Can  you  see  it? 


Middleware  is  Everywhere. 


MIDDLEWARE.  It’s  what  on  demand  business  demands. 
And  middleware  is  IBM  software  like  DB2?  Lotus?  Rational' 
and  WebSphere®  that  develops,  integrates  and  manages  your 
applications  and  systems.  Everything  is  efficient.  Seamless. 
Across  the  board.  Across  platforms.  Microsoft®  Oracle.  Sun 
You  name  it.  IBM’s  open  middleware  can  connect  it.  It’s  instant 
business  benefit.  Instant  customer  satisfaction.  On  demand 
©business  on  demand™  Go  to  ibm.com/software/integrate 


1.  Instantly  admitting  patient. 

2.  Immediately  processing  claim. 

3.  Automatically  approving  procedure 

4.  Constantly  tracking  treatment. 

5.  Directly  assessing  costs. 


Jack  Keen  I  Real  Value 

Practical  Counsel  for  Capturing  IT  Value 


Evidence  Rules 

Successful  business  cases  have  strong  supporting 
data  backing  them  up.  Here  are  some  tips 
for  effective  evidence  building. 

BUSINESS  CASES  DONE  RIGHT  are  powerful  tools.  When  they  include 
impressive-looking  tangible  benefits,  powerful  intangibles  and 
clear  business  alignments,  they  gain  attention. 

But  all  is  for  naught  if  no  one  believes  them.  That’s  why  get¬ 
ting  the  evidence  right  is  a  crucial  step  when  building  a  suc¬ 
cessful  business  case.  Weak  evidence  spawns  distrust  from 
inherently  skeptical  decision-makers,  thus  heightening  the  risk  of 
rejection  of  business  case  recommendations.  While  losing  the 
funding  is  bad  enough,  the  harm  to  the  reputation  of  the  peo¬ 
ple  who  created  the  business  case  can  be  even  deeper.  The  trust¬ 
worthiness — even  honesty — of  these  individuals  may  be  called 
into  question  on  other  issues.  Fortunately,  evidence  building  is 
a  skill  that  is  easy  to  strengthen.  Just  as  lawyers  must  prove 
their  cases  based  on  evidence  believable  to  judge  and  jury,  CIOs 
and  their  teams  must  argue  the  evidence  to  other  executives  to 
prove  a  business  case.  Try  these  five  “courtroom  savvy”  tech¬ 
niques  for  making  your  evidence  the  best  possible. 

1.  Know  when  evidence  is  most  needed.  Controversial  con¬ 
clusions  around  central  themes  of  the  business  case  need  strong 
proof  statements.  Also  watch  out  for  unsupported  statements 


you  consider  self-evident;  others  may  beg  to  differ.  For  exam¬ 
ple,  rather  than  boldly  asserting  that  “more  fact-based  man¬ 
agement  is  a  key  to  success,”  buttress  your  declaration  with 
strong  supporting  evidence,  such  as  “Last  year’s  ‘Top  Business 
Practices’  survey  of  25  industry  CEOs  revealed  that  analytic- 
focused  management  was  the  number-two  driver  of  superior 
shareholder  return.”  Sensitivity  analysis  can  also  point  to  areas 
needing  sound  evidence.  For  example,  if  an  important  calcula¬ 
tion,  such  as  dealing  with  improvement  in  employee  turnover, 
is  highly  sensitive  to  variations  in  its  value,  take  the  extra  time 
to  find  support  concerning  why  the  specific  quantity  selected  is 
trustworthy. 

2.  Decide  how  strong  the  evidence  must  be.  The  more  sur¬ 
prising,  arguable  or  obscure  a  business  case  claim,  the  better 
the  evidence  must  be.  The  American  legal  system  provides 
some  guidance:  In  courts  of  law,  as  well  as  in  “courts”  of  IT 
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ILLUSTRATION  BY  MELINDA  BECK 


Protect  the  edge  of  your  network 

'*  leading-edge  technology. 


Check  Point™  VPN-1®  Edge™  is  a  new  appliance  that  easily  and  securely 
connects  your  remote  sites  —  perfect  for  large-scale  deployments. 


This  is  an  all-in  one  appliance 
tailored  to  meet  the  broad  needs  of 
today’s  corporations.  VPN-1  Edge  works 
with  your  existing  infrastructure  to  secure  and 
connect  all  your  remote  locations,  including  branch, 
retail  and  partner  sites. 


Up  and  running  in  minutes,  VPN-1  Edge  takes  your  security  to  the 
very  edge  of  your  network  by  integrating  VPN-r/FireWall-1®  technology, 
high  availability  and  networking  features.  It’s  plug-and-play  security  that  you 
can  manage  from  a  central  corporate  IT  department. 


•  Patented  Stateful  Inspection  firewall 


i 


•  Centralized  SMART  management 


One-Click  VPN  deployment 


ISP  and  gateway  high  availability 


- 


VPN-1  Edqe  solutions  for  all  your  remote  Check  Point 

<3  j  SOFTWARE  TECHNOLOGIES  LTD. 

and  branch  locations  start  at  $399. 

Visit  www.checkpoint.com/edge  to  learn  more 
about  VPN-1  Edge  Internet  security  appliances.  We  Secure  the  Internet. 

©  2003  Check  Point  Software  Technologies  Ltd.  All  rights  reserved. 


Jack  Keen  Real  Value 


investment  funding,  reliable  evidence  must 
be  material  (that  is,  relevant  to  the  issue  at 
hand)  and  directly  affect  the  probability 
that  the  claim  is  true.  In  these  courts,  evi¬ 
dence  comes  in  multiple  flavors.  Direct  evi¬ 
dence,  such  as  that  from  trusted  colleagues 
or  subject  matter  experts,  is  usually  the 
most  powerful.  Circumstantial  evidence 
(such  as  third-party  surveys  reported  in 
public  records)  can  also  be  useful,  although 
often  less  effective  than  direct  evidence. 
Hearsay  is  the  least  desirable.  For  exam¬ 
ple,  if  a  proposal  for  a  new  system  asserts 
a  controversial  claim  that  customers  will 
make  5  percent  larger  purchases,  and  such 
a  claim  is  central  to  the  power  of  the  busi¬ 
ness  case,  then  taking  the  time  and  effort  to 
focus  on  direct  evidence  is  best. 

3.  Know  the  rules  of  evidence.  Unlike 
courts  of  law,  the  rules  of  evidence  for  busi¬ 
ness  cases  are  often  unspoken.  Don’t  tolerate 
this  situation.  All  decision-makers  carry  in 
their  heads  a  set  of  rules  concerning  what 
they  consider  as  admissible  and  not  admis¬ 
sible  for  business  case  evidence.  Does  your 
CEO  give  great  weight  to  evidence  from 
industry  trade  associations  in  which  he  is 
active  or  to  surveys  from  his  blue-ribbon 
business  school  alma  mater?  Uncover  the 
other  executives’  preferred  types  of  evidence 
by  asking  them  directly  or  by  studying  evi¬ 
dence  characteristics  of  investment  proposals 
they  have  supported. 

4.  Discard  the  bad  stuff.  Learn  to  identify 
bad  evidence  disguised  as  good.  Found  a 
mouth-watering  evidence  statement?  Pass  it 
through  this  four- way  “evidence  truth  test”: 
■  Is  the  source  of  the  evidence  readily  iden¬ 
tified?  Publicized  quotes  and  metrics  with¬ 
out  precise  sources  are  not  credible.  Even 
cited  sources,  if  ambiguous,  are  warning 
flags.  For  example,  stating  “Source:  ABC 
Global  Research  Corp.”  can  be  frustrating 
to  a  business  case  reader  who  wishes  to 
quickly  investigate  the  information  further. 
If  ABC  has  been  in  business  for  20  years, 
has  1,000  employees  and  publishes  more 
than  500  documents  annually,  it  may 
appear  that  the  business  case  writer  is  dar¬ 
ing  the  reader  to  try  and  hunt  down  this 
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sit  us  online  or  call  us  at  1-414-524-4262. 


needle  in  a  haystack.  Not  a  good  way  to 
engender  trust  in  a  business  case. 

■  Is  the  evidence  applicable?  Ten  CEOs 
who  swear  to  a  20  percent  productivity 
improvement  from  using  Vendor  X’s 
CRM  system  may,  upon  deeper  investiga¬ 
tion,  be  talking  about  different  modules 
within  the  CRM  system  itself.  One  per¬ 
son’s  CRM  system  may  be  for  sales-force 
support.  Another  person’s  CRM  may  be 
for  customer  service  help  desks.  If  the 
source  of  the  evidence  was  loose  about 
definitions  of  key  terms,  make  sure  your 
CRM  definition  matches  it. 

■  Is  the  quoted  metric  a  guess  or  a  meas¬ 
urement?  “We  saved  25  percent  of  our 
budget  within  one  year  of  installing  Gizmo 
Model  H”  may  turn  out  to  have  originated 
from  a  flippant  guess  over  drinks  with  the 
vendor,  rather  than  a  carefully  measured 
benchmark. 

■  Is  the  evidence  objective?  Beware  of 
quotes  from  a  vendor’s  clients.  Make  sure 
hidden  incentives,  such  as  special  discounts, 
are  not  encouraging  the  singing  of  artificially 
high  praises. 

5.  Document  your  evidence  well.  Suc¬ 
cinctly  and  completely  documenting  evidence 
in  the  business  case  can  go  a  long  way  in 
encouraging  its  acceptance.  Make  it  easy  for 
the  business  case  reader  to  both  understand 
and  believe  in  each  nugget  of  proof.  When 
citing  publications,  be  precise  concerning 
publication  name,  pages  referenced  and  date 
of  publication.  When  using  published  quotes, 
explain  who  said  it,  the  date  it  was  said  and 
under  what  context. 

Trusted  business  cases  get  funded  more 
often.  You  don’t  need  to  go  to  law  school 
to  get  good  at  evidence  discovery  and  usage. 
Pointing  your  evidence-building  team  toward 
the  guidelines  above  is  a  great  start.  HP] 


Jack  Keen  is  the  president  of  consultancy  The  Decid¬ 
ing  Factor  ( www.decidingfactor 
.com)  and  coauthor  of  Making 
Technology  Investments  Prof¬ 
itable:  ROI  Roadmap  to  Better 
Business  Cases.  Reach  him  at 
jkeen@decidingfactor.com. 
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High 
Performance: 

Extremely 
responsive  to  the 
most  demanding 
business 
applications 


Longer 
Battery  Life: 

Power-conserving 
technology 
enables  extended 
battery  life. 


The  Unwired  Office 

starts  here. 


The  promise  of  a  truly  wireless  workforce 
is  being  fulfilled.  Because  Intel’  Centrino  mobile 
technology  delivers  unprecedented  levels  of 
mobility  for  your  users  and  easier  deployment 
for  you.  Intel  is  working  with  other  industry 
leaders  to  make  wireless  networking  not  only 
reliable,  but  secure.  And  Intel  continues  to 
work  closely  with  Cisco  to  extend  Intel  Centrino 
mobile  technology’s  ability  to  support 
enhanced  wireless  security  protocols*  Now 
you  can  do  something  the  whole  office 
will  thank  you  for.  Unwire.  For  all  the  details, 
go  to  intel.com/unwire. 


©2003  Intel  Corporation.  Intel.  Intel  Inside  and  the  Intel  Centrino  logo  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States 
and  other  countries.  Other  names  and  brands  may  be  claimed  as  the  property  of  others.  All  rights  reserved.  System  performance,  battery  life,  wireless 
performance  and  functionality  will  vary  depending  on  your  specific  hardware  and  software  configurations.  See  http:/'www.intel.com/products/centrino/morejnfo 
for  more  information.  'Some  security  solutions  may  not  be  supported  by  your  PC  manufacturer.  Check  with  your  PC  manufacturer  for  details  on  availability. 
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Cheryl  Smith, 
senior  VP  and  CIO 
McKesson  Corp. 


Bad  employees 
drain  your  IT 
organization 
and  the  company. 
Forced  ranking 
can  help  you  get 
tough— but  at 
what  cost? 

BY  MERIDITH  LEVINSON 


Reader  ROI 

►  The  costs  created  by  under- 
performing  employees 

►  How  forced  ranking  works, 
and  why  it  can  backfire 

►  Five  steps  to  improving 
workforce  performance 


Real  employees  who  received  poor  performance 
reviews  from  Cheryl  Smith,  senior  vice  president 
and  CIO  of  $57  billion  McKesson  Corp.: 

The  IT  manager  who  spent  more  time  walking  around  the 
executive  floor  trying  to  be  seen  than  working  with  his  team 
to  solve  actual  problems. 

The  senior  programmer  who  worked  very  hard  on  an  extra 
project  she  thought  important,  causing  her  group  to  miss  key 
deadlines  because  her  assigned  work  didn’t  get  done. 

The  employee  who  called  in  sick  every  other  Monday  and 
Friday,  believing  that  no  one  would  notice. 

The  programmer  who  signed  up  to  work  at  home  two  days 
a  week  but  then  never  seemed  to  be  available  those  days  for 
conference  calls. 

The  senior  staffer  who  felt  that,  because  he  had  worked 
hard  throughout  his  career,  it  was  time  to  take  it  easy 
because  the  company  owed  him. 

The  programmer  who  refused  to  take  her  turn  in  the 
rotation  for  emergency  night-call  duty. 

The  analyst  who  spent  a  lot  of  time  shopping  online  for 
personal  items. 

If  you've  been  in  IT  managementfor  long,  you’ve  probably 
had  to  deal  with  employees  who  aren’t  up  to  the  task,  consis¬ 
tently  perform  below  their  capabilities  or  exhibit  a  bad  atti¬ 
tude.  These  staffers  fail  to  live  up  to  “the  agreement,"  as 
Smith  puts  it,  that  in  exchange  for  a  paycheck,  they  provide 
the  company  with  their  talents,  experience  and  time. 


Cover  Story  |  Staff  Management 


It’s  a  wrenching  task,  but  you  have  to  face  up  to  the  need  to 
confront  poor  performers  and  either  fix  their  shortcomings  or 
fire  them.  If  your  organization  is  still  in  layoff  mode,  then 
identifying  and  weeding  out  the  undesirables  is  by  far  the  best 
way  to  trim  headcount.  And  when  the  economy  does  rebound, 
CIOs  who  have  culled  their  staffs  will  be  better  prepared  to 
take  on  new  projects  aggressively. 

In  recent  years,  many  companies  have  instituted  the  concept 
of  forced  ranking,  a  tough-minded  approach  that  obligates  man¬ 
agers  to  rank  their  staffers  against  one  another.  The  bottom- 
dwellers  typically  are  pushed  out  or  encouraged  to  leave.  Forced 
ranking  is  not  without  its  detractors,  however.  Some  say  it  drains 
employee  morale,  eliminates  cooperation  and,  if  used  every  year, 
can  result  in  even  good  performers  being  cut.  But  forced  rank¬ 
ing  can  be  applied  in  a  less  draconian  and  more  effective  way. 


“Nothing  drives  your 
good  performers 
away  faster  than 
knowing  that  a 
supervisor  isn’t 
dealing  with 
performance 
ssues.” 


-  Kris  Paper,  senior  VP  and 
CIO,  Primedia  Business 
Magazines  &  Media 


Smith  identifies  and  rewards  her  best  employees  with 
bonuses,  while  the  poor  performers  get  nothing.  Anything 
else  would  be  unfair  to  her  star  staffers.  “Life  is  a  bell  curve. 
Get  used  to  it,”  says  Smith,  who  prefers  to  refer  to  “relative 
contribution”  rather  than  forced  ranking,  since  she  believes 
the  first  term  more  clearly  explains  to  employees  how  they’re 
being  evaluated. 


You  Can  Run,  But  You  Can’t  Hide 

No  question,  it’s  often  very  hard  to  confront  poor  performers. 
“Managers  would  rather  have  a  tooth  pulled  than  have  a  per¬ 
formance  conversation  with  a  subordinate,”  says  Dick  Grote, 
president  of  a  management  consultancy  specializing  in  per¬ 
formance  appraisal,  Grote  Consulting,  and  author  of  several 
books  on  performance  appraisal.  “Dealing  with  poor  per¬ 
formers  is  probably  the  most  difficult  job  that 
anybody  with  supervisory  responsibility  has. 
The  hardest  thing  to  do  is  to  look  a  person  in 
the  eye  and  tell  them  they’re  not  good  enough. 
God,  that’s  tough.” 

Going  soft  on  problem  employees,  how¬ 
ever,  can  just  end  up  creating  more  problems 
for  an  organization,  says  Tsvi  Gal,  senior  vice 
president  and  CIO  of  Warner  Music  Group.  If 
a  manager  is  not  abundantly  clear  with  an 
employee  about  his  performance  during  a 
review,  the  employee  won’t  change  his  behav¬ 
ior  to  the  degree  needed.  “When  you  say  to 
someone,  ‘You  can  improve  a  little  bit  in  this 
area,’  they  take  it  literally — that  they  only 
have  to  improve  a  little  bit,”  Gal  says. 

If  unskilled  or  careless  workers  fail  to  take 
care  of  software  and  systems  properly,  it  can 
affect  the  business  from  a  revenue  and  cost  per¬ 
spective,  says  Martin  Davis,  CIO  of  $24  bil¬ 
lion  financial  services  company  Wachovia. 
When  the  business  unit  is  funding  the  IT  proj¬ 
ect,  and  the  project  ends  up  costing  more  than 
was  established  in  the  business  case  because  of 
a  botched  implementation,  the  business  unit 
will  have  to  shell  out  more  money. 

Turning  a  blind  eye  to  shoddy  work  can 
also  eat  away  at  your  own  IT  organization. 
That’s  especially  true  in  companies  that  have 
downsized,  where  there’s  more  work  for 
remaining  employees  to  do.  “Nothing  drives 
your  good  performers  away  faster  than  know¬ 
ing  that  a  supervisor  isn’t  dealing  with  per¬ 
formance  issues,”  says  Kris  Paper,  senior  vice 
president  and  CIO  of  Primedia  Business  Mag- 
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azines  &  Media.  “I  know  I  have  to  pull  the  trigger  and  elim¬ 
inate  [underperformers]  when  my  good  kids  are  suffering,  like 
when  they’re  having  to  take  that  person’s  call  or  they’re  hav¬ 
ing  to  redo  that  individual’s  work,”  she  says. 

Nonetheless,  managerial  lenience  with  poor  performers  is  so 
pervasive  that  many  companies  have  turned  to  forced  ranking. 
It’s  a  controversial  practice,  because  it  effectively  forces  man¬ 
agers  to  make  tough  decisions  that  they  otherwise  wouldn’t  or 
couldn’t  make  about  their  employees. 

rorced  Ranking: 

Right  for  You? 

Forced  ranking  was  popularized  by  Jack  Welch  early  in  his 
tenure  at  General  Electric.  Several  high-profile  companies  fol¬ 


lowed  suit,  among  them  Conoco,  Hewlett-Packard,  Microsoft 
and,  notoriously,  Enron.  As  many  as  20  percent  of  large  com¬ 
panies  now  apply  forced  ranking.  There’s  no  single  way  to  do 
it — the  concept  encompasses  any  system  in  which  individuals 
are  ranked  against  one  another.  Probably  the  most  popular 
method  is  to  set  the  distribution  according  to  a  bell  curve,  des¬ 
ignating,  say,  10  percent  of  employees  as  top  performers,  a 
middle  80  percent  as  the  unspectacular  but  necessary  back¬ 
bone  of  the  company,  and  the  remaining  10  percent  as  the 
bottom-feeders.  Other  companies  rank  employees  on  a  totem 
pole,  one  above  another.  Still  others  divide  the  staff  into  quar- 
tiles.  Usually  the  stars  in  the  top  group  receive  the  lion’s  share 
of  development  and  bonuses,  while  the  bottom-dwellers  get  a 
pink  slip  or,  at  the  very  least,  a  warning. 


Lifestyles  of  the  Unskilled  and  Annoying 


The  Bad  Attitude 

This  employee  could  be  a  brilliant  techni¬ 
cian  or  project  manager,  but  the  chip  on 
his  shoulder  renders  him  impossible  to 
work  with.  When  Kris  Paper,  senior  vice 
president  and  CIO  for  Primedia  Business 
Magazines  &  Media,  joined  the  company 
in  2002  and  was  in  the  process  of  assess¬ 
ing  the  skills  of  her  staff,  one  longtime 
employee  unabashedly  proclaimed  that 
he  had  no  IT  skills  and  had  “somehow 
landed  in  IT.”  The  worker  insinuated  that 
he  deserved  a  job  in  IT  by  virtue  of  his  long 
tenure  with  the  company.  Paper  did  not 
waste  time  in  eliminating  his  position.  "If 
they  don’t  have  the  right  value  system, 
they’re  not  worth  the  investment.  I  can 
train  the  skill,  but  I  can'ttrain  the  values,” 
she  says. 

The  Slacker 

Characteristics  of  the  stereotypical 
slacker  include  rumpled  clothes,  bed¬ 
head  and— more  to  the  point  for  an 
employer— tardiness,  slipshod  work,  and  a 
tendency  to  procrastinate  and  do  only  the 
bare  minimum.  Bill  Haser,  CIO  of  Tenneco 
Automotive,  describes  a  careless  systems 


analyst  who  failed  to  follow  development 
processes  or  document  changes  he  made 
to  systems.  Haser  says  that  while  80  per¬ 
cent  of  the  time  the  man's  changes 
worked,  20  percent  of  the  time  they 
"ended  up  screwing  something  up.”  When 
Haser  and  this  employee’s  manager  con¬ 
fronted  him  about  his  feckless  work,  they 
learned  that  he  didn’t  think  the  procedures 
were  important  because  he  didn’t  under¬ 
stand  them.  He  thought  they  created 
needless  work.  Haser  and  the  manager 
explained  to  the  worker  the  importance  of 
the  IT  organization’s  development 
processes  and  showed  him  that  if  he  toed 
the  line,  he’d  save  five  times  as  much  time 
and  effort  in  ongoing  support.  The  sys¬ 
tems  analyst  agreed  to  follow  the  com¬ 
pany’s  development  process  to  a  T— and 
saved  his  job. 

The  Incompetent 

Sometimes,  poor  performance  isn’t  a 
choice.  Sheleen  Quish,  global  CIO  and 
vice  president  of  corporate  marketing  for 
U.S.  Can,  describes  a  tech  support 
employee  who  was  personable  and  pos¬ 
sessed  with  a  Little  Engine  That  Could  atti¬ 


tude  (“I  think  I  can,  I  think  I  can"),  but  who 
overestimated  his  skills.  Because  of  his 
positive  attitude,  Quish  and  his  immediate 
supervisor  accepted  that  he  was  a  slow 
learner  and  chose  to  be  patient  with  him— 
until  the  day  he  accidentally  caused  all 
hell  to  break  loose  at  the  company. 

Without  authorization  or  the  knowledge 
of  anyone  else,  the  tech  support  worker 
came  into  the  office  one  weekend  and 
installed  antivirus  software  on  all  employ¬ 
ees’  desktops,  including  the  CEO’s.  But  he 
did  such  a  lax  job  that  he  wound  up  com¬ 
promising  people’s  PCs.  As  soon  as 
employees  arrived  at  work  the  following 
Monday,  they  began  flooding  the  IT  help 
desk  with  angry  calls.  Quish's  entire 
department  spent  all  morning  trying  to  fig¬ 
ure  out  what  had  gone  wrong.  Eventually, 
the  inept  worker  stepped  forward  and  told 
Quish  what  he  had  done.  She  asked  him 
several  times  to  explain  why.  He  had  no 
explanation.  She  told  him  to  take  the  rest 
of  the  day  off  and  to  come  in  the  next  day 
with  an  answer  to  her  question.  He  arrived 
late  and  still  had  no  answer  for  what  he 
had  done.  Quish  showed  him  the  door. 

-M.L 
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The  right  management  can  put  you  in  control  of  your  infrastructure, 
not  the  other  way  around. 
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So  long,  mayhem.  Management  is  here.  Unicenter  infrastructure  management  software  gives  you  unparalleled 
control  of  your  IT  environment.  It  lets  your  infrastructure  react  to  changes  in  real  time,  so  your  IT  and  business 
priorities  are  always  in  sync.  Its  self-healing  capabilities  help  you  do  more  with  less  and  control  costs.  To  learn 
how  the  right  management  can  help  you  realize  on-demand  computing  with  your  existing  infrastructure,  or  to  get 
a  white  paper,  go  to  ca.com/infrastructure. 
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“If  have  an  underperformer 
who  know  is  unable  to 
reach  my  expectations, 
we  will  still  invest  enough 
time  to  make  sure  we  have 


vis,  CIO,  Wachovia 


Often,  only  senior  executives  and  managers  are  force 
ranked,  in  order  to  identify  and  groom  potential  future  exec¬ 
utives.  Other  companies  force  rank  all  of  their  employees. 
When  CIOs  apply  forced  ranking  to  their  IT  organizations, 
usually  all  staffers  get  ranked  against  one  another  according  to 
some  criteria,  such  as  the  contribution  that  they  made  in  IT  to 
the  company’s  success. 

Forced-ranking  schemes  all  assume  that  something  is  amiss  in 
an  organization’s  performance  or  development  plans.  Not  every¬ 
one  can  be  above  average,  after  all.  Bill  Haser,  CIO  of  Tenneco 
Automotive,  a  $3.5  billion  manufacturer  of  car  and  truck  parts, 
says  he  instituted  forced  ranking  in  his  IT  organization  for  that 
very  reason.  “We  know  our  organization  isn’t  as  good  as  the 
performance  reviews  would  lead  us  to  believe,”  he  says. 


McKesson’s  Smith  has  advocated  distinguishing  employees’ 
relative  contributions  to  the  company  since  moving  into  IT 
management  from  Ernst  &  Young  in  the  early  ’90s.  At 
McKesson,  where  she  became  CIO  on  Oct.  1, 2002,  she  iden¬ 
tifies  not  who  to  fire,  but  who  to  reward.  The  superstars  in  the 
top  group  are  in  line  for  raises,  bonuses,  opportunities  for 
advancement  and  other  perks.  The  solid  performers  in  the 
large  middle  group  get  some  financial  remuneration  for  their 
efforts.  The  low  performers  get  zip.  “Most  people,  when  you 
give  them  a  very  poor  rating  and  when  you  don’t  give  them  a 
raise  and  you  don’t  give  them  a  bonus,  leave  the  company  [on 
their  own],”  she  says. 

Smith  would  seem  to  have  found  the  perfect  management 
model — a  self-fulfilling  performance  ranking.  Yet  opponents  of 
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the  forced-ranking  concept  point  out 
several  negative  side  effects.  Ed 
Lawler,  who  wrote  Treat  People 
Right!  and  other  books  on  perform¬ 
ance  and  founded  the  Center  for 
Effective  Organizations  at  the  Uni¬ 
versity  of  Southern  California’s 
Marshall  School  of  Business,  argues 
that  rather  than  raising  the  bar  for 
performance  inside  organizations, 
forced  ranking — as  it  is  usually  applied — creates  a  dysfunc¬ 
tional,  hypercompetitive  work  environment.  While  interview¬ 
ing  current  and  former  Enron  employees  about  the  company’s 
corporate  culture  and  forced-ranking  process  before  its  fall 
from  grace,  Lawler  found  that  employees  refused  to  collabo¬ 
rate  with  one  another. 

“They  would  hoard  knowledge,  hoard  customers,  because 
the  last  thing  they  wanted  to  do  was  share  information  with 
the  people  they  were  competing  with,”  Lawler  says. 

Another  disadvantage  of  forced  ranking,  particularly  when 
applied  to  IT  groups,  is  the  high  cost  of  turnover  and  the  dif¬ 
ficulty  of  quickly  finding  employees  with  the  right  skill  sets. 
For  her  part,  Smith  believes  that  any  costs  of  hiring  new  peo¬ 
ple  into  her  organization  to  replace  poor  performers  are  offset 
by  an  increase  in  overall  productivity. 

Some  companies  using  forced  ranking  have  become 
embroiled  in  discrimination  lawsuits  brought  by  employees 
upset  over  dismissal  or  lower  pay.  Conoco,  Ford  Motor  and 
Microsoft  have  all  faced  such  suits.  Lawler  says  companies 
that  use  forced  ranking  get  into  trouble  with  litigation  when 
the  criteria  they  use  to  evaluate  employees  are  too  subjective — 
for  example,  a  vague  metric  of  “contribution  made  to  the 
company.”  A  more  defensible  measure  is  a  relation  to  some¬ 
thing  concrete,  such  as  sales  figures.  But  that  poses  a  difficulty 
for  CIOs,  Lawler  says,  since  IT  employees  rarely  have  a  direct 
impact  on  a  company’s  sales  or  profits. 

Clearly,  forced  ranking  shouldn’t  be  used  lightly.  Even 
Grote,  the  performance  consultant  who’s  a  vocal  proponent  of 
forced  ranking,  doesn’t  believe  it  should  be  done  every  single 
year.  “The  first  time  [you  do  it]  you’re  cutting  the  obvious  fat. 
The  second  time,  you’re  cutting  the  interstitial  fat.  By  the  third 
time,  you’re  getting  down  to  muscle  and  bone,”  he  says. 

Five  Steps  to  Upgrading 
Workforce  Performance 

If  you  elect  to  use  forced  ranking — whether  a  scorched- 
cubicle  variety  or  a  kinder,  gentler  approach — there  are 
ethical  and  legal  guidelines  to  follow,  as  with  any  employment- 
related  matter.  The  following  steps  will  help  you  diagnose 
which  type  of  underperformer  you’re  facing,  decide  whether 


he  merits  training  or  dismissal,  and  help 
protect  you  and  your  company  from 
any  lawsuits  filed  by  disgruntled 
employees. 

1.  Use  a  performance  appraisal  system. 

Defined  as  the  art  of  determining  how 
well  employees  do  their  jobs,  perform¬ 
ance  appraisal  is  distinct  from  forced 
ranking.  Think  of  a  rigorous  and  uni¬ 
form  system  of  performance  appraisal  as 
a  solid  foundation  for  making  all  decisions  on  promotions, 
employee  development  and  terminations.  You  must  first  for¬ 
mulate  a  set  of  organizational  or  departmental  goals  for 
worker  performance  and  then  implement  a  fair  and  consis¬ 
tent  method  for  judging  how  well  workers  meet  those  goals. 
Only  then  will  you  have  a  defensible  basis  on  which  to  make 
personnel  decisions. 

Various  performance  appraisal  systems  have  been  devel¬ 
oped  over  the  years.  (This  is  the  province  of  the  HR  represen¬ 
tatives,  so  consult  them  before  proceeding.)  Primedia’s  Paper 
developed  a  method  to  evaluate  her  IT  staff  when  she  joined 
the  company  in  October  2002.  First,  she  helped  formulate  a 
document  that  defined  the  IT  organization’s  values  and  culture. 
Each  employee  was  evaluated  on  his  cultural  fit.  Next,  she 
looked  at  past  performance  appraisals  and  met  personally  with 
everyone  in  the  IT  department.  Based  on  those  evaluations 
and  conversations  and  her  20  years  in  IT  management,  she 
got  a  good  sense  of  people’s  values  and  skill  sets. 

She  then  composed  a  graph  separated  into  quadrants.  The 
X-axis  indicated  employees’  values;  the  Y-axis  indicated  their 
technology  skills.  She  plotted  each  staff  member  on  the  graph 
according  to  his  technical  skills  and  cultural  fit.  Paper  finds 
that  plotting  all  of  her  people  on  a  chart  helps  her  determine 
who  are  the  stars,  who  needs  training,  who  is  in  the  wrong  job 
and  who  needs  to  exit  the  organization. 

2.  Keep  HR  in  the  loop.  When  facing  a  potential  problem 
with  an  employee’s  performance,  immediately  bring  it  to  the 
attention  of  the  human  resources  group.  By  alerting  HR 
staffers  that  someone  is  having  problems,  you  get  them  in  the 
loop  before  the  situation  gets  out  of  hand,  and  you  cover  your 
bases  in  the  event  that  the  person  eventually  is  fired.  Be  pre¬ 
pared  to  be  specific  about  your  complaint — for  instance,  delays 
in  a  software  implementation  are  due  to  the  worker’s  lack  of 
skills  or  poor  attitude. 

If  your  relationship  with  HR  is  strained  or  distant,  now  is 
the  time  to  turn  that  around.  “It’s  important  to  engage  our 
professionals  in  HR  to  make  sure  we’re  following  all  corporate 
and  HR  policies  appropriately,  we’re  being  fair  to  the 
employee  and  that  we’re  looking  at  all  sides  of  the  problem,” 
says  Wachovia’s  Davis.  HR  can  bring  its  expertise  to  bear  on 


Talk  to  Dick  Grote 


You  know  the  rotten  apples  in  the 
barrel  will  infect  other  workers  with 
their  poor  attitudes  and  meager 
skills.  But  having  the  performance  conversa¬ 
tion— or  firing  someone— is  very  hard  to  face. 
SO.  HOW  DO  YOU  FIX  POOR  PERFORMERS? 
Dick  Grote,  president  of  Grote  Consulting,  may 
have  just  the  answer  for  you.  Through  Nov.  15, 
fire  your  questions  to  him  at  www.cio.com/ask. 
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performance  issues  and  provide  you  or  your  managers  with 
coaching,  if  needed. 

3.  Confront  the  employee.  There  may  be  a  good  reason  for 
the  individual’s  poor  performance.  Then  again,  there  might 
not  be.  But  it’s  your  responsibility  to  find  out  what’s  going 
on.  Begin  by  discussing  the  person’s  work  with  his  supervisor, 
peers  and  the  users  he  supports  so  that  you  get  specific  exam¬ 
ples  of  shortcomings.  Once  you  have  that  information,  sit 
down  face-to-face  for  an  honest  and  direct  discussion  about 
your  expectations,  where  the  failings  are,  and  what  impact 
that  performance  is  having  on  the  IT  organization  or  the  com¬ 
pany  at  large.  Also  ask  him  why  be  thinks  he’s  falling  short. 


second  chance,  she  bases  her  decision  on  the  attitude  and  effort 
displayed.  “No  one’s  going  to  flip  a  switch  and  become  some¬ 
body  different  the  next  day.  It’s  a  process.  But  if  they  exhibit 
the  right  attitude  and  energy  and  they’re  willing  to  start  the 
process,  I’ll  support  them  for  a  long  time,”  she  adds. 

5.  Follow  up  frequently.  “When  you’re  trying  to  get  someone 
to  perform  at  a  higher  level,  you  have  to  measure  and  moni¬ 
tor  them  a  lot  more  often,”  says  Quish.  “There’s  a  lot  of  fol¬ 
lowing  up  and  a  lot  of  breaking  projects  down  into  bite-sized 
pieces.”  She  advises  that  an  employee  on  an  improvement  plan 
should  be  given  weekly  tasks  and  goals,  to  be  tracked  by  the 
person’s  direct  manager.  Whether  the  employee  is  able  to  keep 


“We  know  our  organization  isn’t  as  good  as  the 
performance  reviews  would  lead  us  to  believe.” 


Davis  believes  managers  owe  employees  the  opportunity  to 
explain  themselves.  If  there’s  an  obstacle  impeding  their  success 
or  performance,  this  is  the  way  a  CIO  will  find  out,  he  says. 

4.  Shift  the  onus  for  improvement  to  the  employee.  If  the 
employee  shows  interest  in  doing  better  work,  ask  her  to  come 
up  with  an  action  plan.  Offer  your  help  if  she  needs  it.  You 
might  suggest  books  to  read,  courses  to  take  or  people  to  talk 
to.  But  ultimately,  her  performance  and  her  improvement  are 
up  to  her.  “I  think  a  company  has  a  responsibility  to  make 
sure  you’re  in  the  right  spot,  that  you’re  trained  correctly,  that 
you  have  the  right  tools  to  do  your  job.  After  that,  your  job 
and  your  performance  are  what  you  make  of  it,”  Smith  says. 

If  the  employee  denies  that  there’s  a  problem,  is  offended  by 
your  evidence  of  poor  performance  or  says  something  like 
“That’s  not  what  I  was  hired  for,”  then  tell  her  to  take  the 
rest  of  the  day  off  to  figure  out  what’s  best  for  her.  “This  is 
effectively  a  one-day  suspension  from  work,”  says  Grote,  the 
performance  appraisal  guru.  This  dramatic  gesture  brings 
home  to  the  employee  that  her  poor  performance  is  serious 
business,  Grote  says,  and  gives  her  a  decision  to  make:  Return 
to  the  office  the  next  day  ready  to  change  behavior,  or  look  for 
a  new  opportunity  elsewhere. 

If  the  employee  comes  back  promising  to  improve  but 
doesn’t  live  up  to  her  word,  “then  you’re  about  as  bulletproof 
as  can  be”  when  you  pull  the  trigger,  says  Grote.  If,  however, 
the  worker  seems  sincere  about  doing  better,  then  you  have 
something  to  work  with. 

Sheleen  Quish,  global  CIO  and  vice  president  of  corporate 
marketing  for  U.S.  Can,  says  that  when  it  comes  to  determin¬ 
ing  whether  an  underperformer  merits  some  sort  of  training  or 


up  with  the  weekly  plan  will  quickly  give  you  a  sense  of 
whether  he  can  improve,  Quish  says.  “If  they’re  not  making  it 
in  weekly  buckets,  how  are  you  ever  going  to  give  them  a 
major  project?”  she  asks. 

It’s  important  to  document  all  performance-related  conver¬ 
sations  you  have  with  employees.  When  you  hold  them,  note 
what  you  discuss  and  what  the  two  of  you  agree  on.  That  way, 
if  you  have  to  fire  an  employee,  you  have  important  evidence 
on  your  side  in  the  event  that  he  contests  the  termination. 

Just  Win-Win,  Baby 

Dealing  with  a  poor  performer  usually  means  that  you  have  to 
bring  the  situation  to  a  head,  but  that’s  not  necessarily  a  bad 
thing.  Given  the  chance,  most  people  want  to  do  right  by  their 
employers,  even  as  they’re  looking  out  for  their  own  interests. 
While  at  energy  provider  Aquila,  Paper  promoted  a  systems 
analyst  to  a  senior  analyst  position.  The  new  role  turned  out  to 
be  too  much  for  the  woman,  who  worked  countless  hours  to 
keep  up  yet  still  turned  in  subpar  work.  Paper  told  the 
employee  she  wanted  to  drop  her  back  to  the  systems  analyst 
position  so  that  she  could  again  excel.  Her  salary  would  remain 
at  her  current  level,  and  no  one  would  know  she  was  demoted. 

The  woman’s  pride  was  hurt  at  first,  but  when  she  realized 
that  this  move  would  be  good  for  her,  she  was  relieved  and 
embraced  the  opportunity.  She’s  still  working  for  Aquila  and 
thriving  as  a  systems  analyst.  “If  they’ve  got  the  right  values 
but  the  skill  isn’t  there,”  says  Paper,  “then  put  them  in  a  place 
where  they  can  bring  value  to  the  organization.”  BE1 


Senior  Writer  Meridith  Levinson  can  be  reached  at  mlevinson@cio.com. 
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Send  and  receive  attachments. 


Send  and  receive  attachments  nearly  twice  as  fast. 


average 
20-40  Kbps 


average 
50-70  Kbps 


Your  business  can  get  more  done,  faster, 
in  more  places  nationwide  with  the  Sprint 
advanced  wireless  network. 


Compared  with  the  AT&T  Wireless  Next  Generation  network, 

Sprint  gives  you: 

•  Laptop  connections  nearly  twice  as  fast 

•  30%  larger  coverage  area  pcs  Connection  card.™ 

Over  30  million  more  people  covered  ^  ».  .  Getawireiess 

connection. 

All  of  this  and,  of  course,  clear  calls  on  the 
most  complete,  all-digital  wireless  network  in 
the  nation  to  make  your  business  more  effective 


Get  the  facts  at  www.sprintpcs.com  or  call  877-459-8144 
for  a  PCS  Business  Representative. 


One  Sprint.  Many  Solutions.SM 

Voice/Data  PCS  Wireless  Internet  Services  E-Business  Solutions  Managed  Services 


Speed  claims  based  on  published  averages  from  each  carrier  and  other  information.  Realized  speeds  will  vary  based  on  devices,  tasks  and  other  factors.  Coverage  claims  based  on 
the  enhanced  Sprint  Nationwide  PCS  Network  (reaching  240  million  people)  and  the  AT&T  Wireless  National  Next  Generation  (GPRS)  network  and  coverage  included  with  available 
service  plans  excluding  roaming  areas.  Copyright  ©2003  Sprint  Spectrum  L.P.  All  rights  reserved.  Sprint  and  the  diamond  logo  are  trademarks  of  Sprint  Communications  Company  L.P. 
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The  ubiquitous  awfulness  of  spam  affords 
CIOs  a  rare  opportunity  to  look  good. 
Here’s  how  otherwise  mild-mannered 
CIOs  can  leap  into  the  spam  fray  and  keep 
e-mail  viable  for  users. 


How  to  find  the  right  anti 
spam  devices 

Why  it’s  important  to  test 
spam  controls  before 
installing  them 

How  to  choose  between 
buying  your  own  filters 
and  outsourcing 


Matt  Kesner  has  been  in  IT  long  enough  to  take  silence  as  a  compliment. 

“People  don’t  often  come  down  to  IT  to  say,  ‘Nice  job,’”  says  the  CTO  of  Fenwick  &  West,  a  national 
law  firm.  “The  best  you  get  is  that  they  don’t  come  down  at  all  when  things  are  running  well.” 

But  then  Kesner  tackled  the  firm’s  spam  problem,  and  suddenly  he  found  himself  a  hero.  After 
he  outsourced  the  problem  to  a  managed  service  provider,  the  law  firm’s  partners  (whose  time  is 
worth  $350  to  $600  an  hour)  were  no  longer  spending  more  than  an  hour  a  day  wading  through 
300  to  500  spam  messages  to  get  as  many  legitimate  messages.  “We  got  quite  a  few  pats  on  the 
back  and  attaboys  after  putting  the  spam  filter  in  place.  Users  saw  the  difference  instantly  and 
are  dealing  with  hundreds  fewer  messages  a  day.  They  actually  got  excited  about  it.” 
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there’s  plenty  you  can  do  to  make  things  bet¬ 
ter.  In  fact,  there’s  plenty  you  should  do, 
since  the  problem  is  only  going  to  get  worse, 
and  you  can’t  count  on  antispam  legislation 
to  save  the  day.  (Criminalizing  spam  would 
simply  drive  more  spammers  to  send  their 
messages  through  offshore  ISPs.)  Solve  the 
spam  problem — or  even  just  put  a  big  dent 
in  it — and  you  too  can  be  a  hero.  Here’s  a 
look  at  how  otherwise  mild-mannered  CIOs 
are  leaping  into  the  spam  fray  to  help  keep 
e-mail  viable  for  users. 


The  Spam  Balancing  Act 

hat  makes  it  so  hard  to  write 
antispam  laws  or  antispam  soft¬ 
ware  is  that  there’s  no  such  thing 
as  a  universal  litmus  test  for  spam.  “One 
person’s  spam  is  another  person’s  newslet¬ 
ter,”  says  Eric  Ogren,  a  senior  analyst  at  the 
Yankee  Group.  “There’s  no  magic  widget 
the  CIO  can  put  in  front  of  the  e-mail  server 
and  spam  goes  away.” 

End  users  have  to  be  involved  in  deciding 
what  is  spam,  he  explains,  because  what’s 
unwanted  can  vary  widely  not  just  from  one 
company  to  the  next,  but  from  one  person  to 
the  next.  What  looks  like  spam  to  the  rest 
of  the  world  could  be  essential  business  com¬ 
munication  for  certain  employees.  Colorful 
language  might  be  important  to  a  customer 
service  agent  (displeased  customers  often  lose 
their  tempers,  after  all),  anatomical  references 
may  be  work-related  for  a  doctor  in  a 
research  hospital,  and  Viagra  messages  could 
very  well  be  germane  to  someone  in  the 
pharmaceutical  industry. 

Case  in  point:  When  John  Zarb,  CIO  of 
Libbey,  a  manufacturer  of  glassware,  china 
and  flatware,  tested  the  Guenivere  (a  virus 
and  subject-line  filter)  and  SpamAssassin  (an 
open-source  spam  filter),  he  had  to  shut  them 


Walter  Smith,  director  of  the  global  IT 
infrastructure  services  group  at  Advanced 
Micro  Devices,  decided  that  outsourcing 
spam  control  to  a  vendor  that  has  multiple 
solutions  would  be  the  best  approach  for 
his  company. 


Unlike  the  invisible  foe  of  Y2K,  the 
scourge  of  spam — which  plagues  reception¬ 
ists  and  CEOs  alike — is  painfully  evident  to 
everyone.  Now  that  spam  accounts  for  40 
percent  to  60  percent  of  most  organizations’ 
e-mail  traffic,  you  scarcely  need  to  mention 
that  Ferris  Research  says  spam  will  cost  U.S. 
businesses  at  least  $10  billion  this  year,  or 
that  Nucleus  Research  estimates  that  com¬ 
panies  forfeit  $874  per  employee  annually 


in  lost  productivity  alone.  Nor  do  you  have 
to  bring  up  the  fact  that  spam  clogs  e-mail 
systems  and  siphons  IT  resources  away  from 
legitimate  business  projects.  Spam  is  a  royal 
pain  in  the  server,  and  we  all  know  it. 

As  Kesner  has  discovered,  the  sheer  ubiq¬ 
uitousness  of  spam  affords  CIOs  a  rare 
opportunity  to  look  good.  Although  receiv¬ 
ing  some  spam  is  inevitable  (and  employees’ 
expectations  should  be  set  accordingly), 
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off  after  10  days  because  they  were  rejecting 
important  legitimate  e-mails.  The  filters 
bounce  mail  with  a  spam  score  of  7.5,  yet 
they  were  automatically  assigning  7  points 
to  e-mails  from  an  Asian  country  in  which 
Libbey  has  business  relationships.  Another 
rule  assigned  what  Zarb  calls  “bad  points” 
for  using  all  capital  letters.  Since  using  all 
caps  is  common  practice  in  that  Asian  coun¬ 
try,  messages  from  those  business  partners 
easily  racked  up  more  than  7.5  points  and 
therefore  got  zapped.  “If  the  message  is  a 
transport  document,  ouch,”  says  Zarb.  His 
group  tweaked  the  default  settings  so  that 
Asian  e-mails  wouldn’t  automatically  accrue 
so  many  points.  Today,  the  filters  block 
about  70  percent  of  Libbey’s  spam,  and  Zarb 
says  the  false  positive  rate  is  far  lower  but 
not  zero.  Because  some  messages  are  too  crit¬ 
ical  to  miss,  he  decided  to  exempt  a  few 
employees  who  deal  with  international  issues 
from  the  SpamAssassin  filter. 


As  Zarb  quickly  discovered,  once  you 
start  filtering  mail,  you  run  the  risk  of  block¬ 
ing  legitimate  e-mails  because  they  look  like 
spam.  Avoiding  an  unacceptable  level  of 
“false  positives”  requires  a  delicate  balanc¬ 
ing  act.  Although  most  vendors  will  claim 
they  capture  at  least  90  percent  of  spam, 
going  above  90  percent  will  probably  result 
in  too  many  false  positives,  says  Matt  Cain, 
a  senior  vice  president  at  Meta  Group.  “You 
could  crank  it  up  and  catch  98  percent  of 
spam.  But  you’d  get  an  unhealthy  amount 
of  false  positives,”  he  says.  “And  if  you  go 
down  to  85  percent,  you’ll  have  very  few 
false  positives,  but  too  much  spam  will  be 
getting  through.” 

At  printing  ink  manufacturer  Flint  Ink, 
Vice  President  and  CIO  Don  Barnowski  has 
been  trying  out  Symantec’s  Norton  antispam 
product.  After  initially  filtering  on  300  to 
400  keywords,  false  positives  were  a  daily 
occurrence.  “We  started  to  get  calls  from 
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people  not  getting  e-mail  they  were  expect¬ 
ing,”  he  says.  “That  was  a  red  flag;  you 


1)  Conceive 


2)  Scan 
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Continental  Airlines 
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(See  page  140) 
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Cost  of  spam  per  employee  in  lost  productivity:  $874/year 

SOURCE:  Nucleus  Research 


don’t  want  people  questioning  the  integrity 
of  e-mail  delivery.” 

Cutting  the  keyword  list  in  half  cut  the 
false  positive  rate  in  half,  but  it  also  let  more 
spam  through.  “I’ve  accepted  the  fact  that 
we  can’t  prevent  all  spam  from  reaching 
employees,”  he  says.  “Finding  out  five  times 
a  day  that  I  can  improve  my  mortgage  rate 
is  irritating  but  not  offensive.  There’s  a  big 
difference  there.  It’s  more  important  to 
reduce  the  number  of  false  positives  than  it 
is  to  smother  all  spam.  You  can’t  have  it 
both  ways,  unfortunately.” 

To  combat  false  positives,  make  sure  you 
choose  a  spam  solution  that  gives  you  a 
quarantine  area  for  probable  spam  that 
users  can  access  to  check  for  legitimate  mes¬ 
sages.  Users  can  be  alerted  in  the  form  of  an 


e-mail  digest  of  all  blocked  spam  subject 
lines  or  be  directed  to  a  Web  mailbox.  Out¬ 
sourcers  generally  maintain  quarantine  areas 
on  their  servers  so  that  companies  don’t 
have  to  tie  up  their  own  networks  with  sus¬ 
pected  spam.  Giving  end  users  the  ability  to 
add  addresses  to  trusted  sender  lists  (often 
called  whitelists)  also  ensures  that  legitimate 
senders  won’t  get  blocked. 

“We  took  the  approach  of  putting  in  very 
coarse  controls  at  first,  then  tightening  them 
up,  rather  than  going  with  the  ‘big  bang’ 
theory  and  begging  forgiveness  for  weeks,” 
says  Gene  Fredriksen,  vice  president  of 
information  security  at  financial  services 
company  Raymond  James  Financial.  “It’s 
absolutely  a  strategy  I’d  recommend.  You 
have  to  build  trust  in  your  system  first.” 


Fredriksen  uses  Syntegra’s  managed  service 
to  filter  spam  for  the  company’s  14,000 
mailboxes. 

It’s  also  smart  to  test  before  you  buy,  par¬ 
ticularly  if  blocking  any  legitimate  e-mails 
would  harm  your  business.  At  Fenwick  & 
West,  Kesner  created  shadow  e-mail  boxes 
for  some  of  the  firm’s  biggest  e-mail  users, 
into  which  he  put  duplicates  of  all  of  their 
messages.  He  then  used  those  shadow  boxes 
to  test  antispam  products.  Because  some  of 
the  language  used  in  the  firm’s  large  com¬ 
mercial  transactions — buy,  sell,  price,  dol¬ 
lars — tends  to  show  up  in  spam,  he  was 
dismayed  to  discover  false  positive  rates  of 
1 -to- 1,000  and  even  as  high  as  1 -to- 100. 

“In  our  business,  every  e-mail  from  clients 
is  really  crucial.  We  can’t  block  a  high  per- 
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centage  of  legitimate  e-mail,”  Kesner  says. 
“We  needed  to  be  below  0.05  percent,  which 
seemed  near  unattainable  with  a  filter.” 

After  trying  out  more  than  18  antispam 
products,  Kesner  decided  to  go  with  Pos- 
tini’s  antispam  service.  With  Postini,  his  false 
positive  rate  approaches  1 -to- 10,000,  in  part 
because  users  can  put  trusted  senders  on  a 
whitelist,  meaning  messages  from  those 
senders  automatically  bypass  the  filters  and 
get  delivered. 

Kesner’s  cautious  approach  of  testing  on 
duplicate  messages  allowed  him  to  get  a 
real-world  read  on  false  positive  ratings 
without  worrying  about  losing  any  legiti¬ 
mate  messages. 


The  Outsourcing  Option 

Kesner’s  testing  convinced  him  that 
the  ability  to  filter  out  most  spam 
while  maintaining  an  extremely  low 
false  positive  rate  was  worth  the  risk  of  out¬ 
sourcing.  “I  was  cautious  of  an  outside  serv¬ 
ice,”  he  says.  “But  [being  an  outsourcer] 
allows  them  to  respond  to  spam  outbreaks 
faster  than  their  competitors.”  Sending  out  a 
spam  update  to  thousands  or  millions  of 
remote  users  is  taxing,  so  spam  software 
makers  tend  to  roll  these  updates  into  pack¬ 
ages  and  send  them  periodically.  A  service 
provider  can  simply  add  an  update  to  a  few 
servers  in  a  couple  minutes  and  have  the 
update  apply  to  all  customers  nearly  instantly. 


Postini  also  lets  Fenwick  &  West  IT 
employees  choose  how  much  of  each  kind 
of  spam  they  want  to  filter  out  by  setting  fil¬ 
ters  for  each  of  four  subcategories  of  spam: 
explicit  content,  get  rich  quick,  too  good  to 
be  true  and  racially  insensitive.  Kesner  pays 
a  per-user  fee,  which  turned  out  to  be  about 
half  of  what  he’d  budgeted  for.  And  because 
he’s  now  blocking  at  least  99  percent  of 
incoming  spam  (5,000  to  7,000  messages  a 
day  get  trapped  on  Postini’s  servers),  Kesner 
has  been  able  to  delay  the  purchase  of  four 
new  servers  (costing  $10,000  to  $20,000 
each)  by  more  than  six  months. 

Indeed,  using  an  outsourcer  can  be 
cheaper  than  managing  the  spam  problem 
internally.  Water  Pik,  which  manufactures 
personal  health-care  products,  pool  prod¬ 
ucts  and  heating  systems,  also  found  that  to 
be  the  case.  “We  looked  at  the  cost  of  doing 
it  internally,  and  it  was  staggering,”  says 
CIO  Wallace  Miceli.  “We’re  talking  one  or 
two  people  full-time,”  he  says.  Miceli  pays 
FrontBridge  $1.50  per  month  for  each  of  his 
1,000  users,  which  he  says  is  cheaper  than 
buying  and  maintaining  an  onsite  filter. 

Outsourcing,  however,  won’t  work  for 
everyone.  Large  companies,  those  with  mul¬ 
tiple  locations  whose  mail  doesn’t  all  pass 
through  one  or  two  points,  and  those  that 
use  both  private  and  public  networks,  may 
find  it  tricky  to  outsource.  And  the  obvious 
downside  of  outsourcing  is  that  it  requires 
giving  someone  else  the  authority  to  decide 
what  e-mail  enters  your  organization.  “For 
a  spam  filter  to  work  very  effectively,  it  has 
to  look  to  a  certain  extent  at  the  body  of 
the  message,”  says  John  Mozena,  a 
cofounder  of  the  Coalition  Against  Unso¬ 
licited  Commercial  Email  (CAUCE).  “Some¬ 
thing — even  if  it’s  just  a  piece  of  software — is 
reading  your  company’s  mail.  For  some 
companies,  that  is  not  acceptable.”  Law 
firms  and  hospitals,  for  example,  might  be 
wary  of  exposing  confidential  client  or 
patient  e-mail  to  a  third  party. 

If  you  choose  to  outsource,  make  sure 
your  service  provider  will  give  you  timely 
access  to  quarantined  messages.  When  Rush 
Enterprises,  a  truck,  construction  and  farm 


Eight  Steps  for  Canning  Spam 

When  implementing  spam-filtering  technology,  it’s  best  to  start 
slowly  and  then  ramp  up  to  avoid  blocking  legitimate  messages. 
Here’s  expert  advice  on  launching  a  filtering  program. 


1.  Carefully  negotiate  licensing  deals.  Prices  will  fall  significantly  through 
2004  as  the  antispam  market  consolidates. 

2.  Look  at  various  options.  Consider  outsourcing,  appliances  and  open- 
source  software  in  addition  to  commercially  licensed  software. 

3.  Choose  antispam  products  that  support  multiple  detection  methods 
(such  as  signature-based  methods,  heuristics  and  Bayesian  filtering), 
user  management  (such  as  whitelists,  blacklists  and  quarantines)  and 
granular  policies. 

4.  Educate  users  on  how  to  avoid  spam. 

5.  Establish  an  e-mail  address  for  users  to  report  spam  to  IS. 

6.  Go  slow.  For  the  first  two  weeks,  put  the  spam-filtering  system  in  audit 
mode  without  quarantining  or  deleting  any  mail.  Review  audit  reports  to  see 
how  much  mail  is  spam  and  what  type  of  spam  it  is. 

7.  Check  false  positives.  Use  the  audit  results  to  define  policies  and  deter¬ 
mine  how  many  false  positives  (the  number  of  legitimate  messages  you 
block)  your  organization  can  tolerate.  The  more  spam  you  block,  the  higher 
your  false  positive  rate  will  be. 

8.  Filter  spam  in  steps.  Start  by  flagging  suspected  spam  and  letting  users 
decide  what  to  do  with  it.  Then  quarantine  spam,  but  give  users  the  opportu¬ 
nity  to  review  their  blocked  messages. 

SOURCE:  Maurene  Caplan  Grey.  Gartner  research  director 
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SOURCES:  Nucleus  Research  and  Meta  Group 


equipment  dealer,  tried  outsourcing,  Rush’s 
e-mail  administrator  couldn’t  see  what  was 
being  filtered  and  therefore  couldn’t  tell  if 
the  company  was  missing  good  e-mails. 
“When  you  outsource,  you  generally  lose 
control,”  says  CIO  Scott  Kressner.  If  there 
was  a  problem,  or  if  a  user  needed  to  be 
able  to  receive  an  important  message,  it 
took  hours  or  even  a  day  or  two  to  resolve 
the  situation.  Kressner  ended  up  purchas¬ 
ing  the  antispam  appliance  (a  server  loaded 
with  the  outsourcer’s  software  that  sits  in 
front  of  the  real  mail  server)  and  now  uses 
it  in  conjunction  with  Symantec  Gateway. 
Although  the  appliance  was  more  than  two 
or  three  times  the  annual  cost  of  the  service, 


Kressner  says  it’s  been  well  worth  it  to 
regain  control. 

A  Spam  Cocktail 

year  or  two  ago,  subscribing  to  a 
list  of  known  spammers  (known 
as  a  black-hole  list  or  a  blacklist), 
or  relying  on  a  signature  approach  (com¬ 
paring  the  patterns  in  a  new  message  against 
the  fingerprints  of  known  spam  messages), 
or  using  reverse  DNS  lookup  to  check 
whether  the  sending  domain  was  legitimate 
might  have  worked.  But  companies  can’t 
rely  on  just  one  type  of  blocking  anymore. 

“I’d  strongly  argue  that  you  need  a  spam 
cocktail — a  variety  of  approaches  that  work 


together  to  generate  a  probability  as  to 
whether  a  message  is  spam  or  not,”  says 
Meta’s  Cain.  The  most  reliable  products  and 
services  subject  each  e-mail  to  numerous 
tests  that  yield  a  probability  score  indicat¬ 
ing  how  likely  the  message  is  spam.  Com¬ 
panies  can  then  set  up  rules  that,  for 
example,  delete  messages  with  a  spam  score 
of  95  percent  or  more,  quarantine  messages 
in  the  85  percent  to  95  percent  range,  and 
deliver  (with  a  “suspected  spam”  warning) 
messages  with  scores  between  75  percent 
and  85  percent. 

The  managed  service  provided  by  Front- 
Bridge,  for  example,  uses  the  cocktail 
approach.  To  make  it  into  a  user’s  inbox,  an 


5)  Scream 


With  Ricoh's  imaging  solutions  on  your 
network  you  can  share  and  manage  ideas 
every  step  of  the  way. 

How  well  do  you  share? 
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Image  Communication 


Go  to  ricoh.com/share  to  see  how  Aficio*  digital  office  equipment  can  help  you. 


E-Mail  Management 


e-mail  must  clear  three  hurdles.  First,  its 
sender  can’t  be  on  FrontBridge’s  proprietary 
blacklist.  Then  it  must  pass  through  a  spam 
fingerprinting  layer  that  identifies  specific 
characteristics  unique  to  spam.  (For 
instance,  spam  often  hides  a  stash  of 
unspa  mmy  words  in  white  HTML  text  on  a 
white  background  to  try  to  fool  filters  into 
thinking  it’s  real  e-mail;  legitimate  e-mail 
would  not  include  white-on-white  text.) 
Finally,  it’s  got  to  survive  a  heuristics  layer, 
which  involves  rule-based  scoring.  Spamlike 
behaviors,  such  as  odd  characters,  spacing 
or  HTML  links,  earn  bad  points,  which  are 
offset  by  good  points  awarded  for  charac¬ 
teristics  that  suggest  legitimacy.  FrontBridge 
updates  250  of  its  10,000-plus  rules  daily. 

Although  attacking  spam  on  multiple 
fronts  may  seem  like  overkill,  Walter  Smith 
can  attest  that  it’s  necessary.  As  director  of 
the  global  IT  infrastructure  services  group 
at  Advanced  Micro  Devices  (AMD),  he  cal¬ 
culated  that  spam  was  costing  the  computer 
chip  manufacturer  more  than  $1.5  million  a 
year  in  lost  employee  productivity.  He  first 
took  a  crack  at  handling  the  problem  inter¬ 
nally.  “Our  initial  approach  was  to  use  fairly 
simple  rules  to  identify  spam  and  tag  junk 
mail,”  he  says.  “We  quickly  found  out  that 
simple  rules  and  spam  don’t  go  together.” 
Before  long,  two  full-time  employees  were 
consumed  with  tweaking  the  rules  to 
account  for  all  of  the  variations  in  spam, 
and  even  then,  they  couldn’t  keep  up  with 
the  spammers.  Only  about  30  percent  of 
spam  was  getting  tagged,  and  some  legiti¬ 
mate  e-mail  was  wrongly  identified  as  spam. 

So  when  AMD’s  e-mail  firewall  vendor 
announced  an  antispam  product  in  May,  the 
decision  to  use  it  was  more  or  less  a  no- 
brainei;  says  Smith.  AMD  already  used  Tum¬ 
bleweed  both  to  scan  all  incoming  e-mail  for 
viruses  and  to  prevent  confidential  competi¬ 
tive  information  from  leaving  the  company. 
With  the  Tumbleweed  infrastructure  already 
in  place,  AMD  could  plug  in  the  vendor’s 
new  spam  component  for  an  annual  per-user 
cost  of  about  $5,  an  investment  that  paid  for 
itself  in  less  than  a  month.  Today,  90  percent 
to  95  percent  of  all  incoming  spam  is  tagged 


as  such.  And  no  more  than  a  quarter  of  a 
single  IT  employee’s  time  is  needed  for  ongo¬ 
ing  maintenance. 

“Having  a  combination  of  rules,  heuris¬ 
tics  and  blacklists  is  really  key  because  of 
the  creativity  of  spammers,”  says  Smith. 
“Simple,  obvious  solutions  don’t  work 
today.  We  quickly  realized  that  stopping 
junk  mail  is  not  a  core  competency  of  our 
company.  And  we  needed  to  get  out  of  that 
business  as  soon  as  we  could.” 

In  attacking  AMD’s  spam  problem,  the 
last  thing  Smith  wanted  to  do  was  to  take  on 
the  role  of  corporate  censor.  “We  didn’t  want 
to  be  perceived  as  content  filterers,”  he  says. 
In  the  interest  of  providing  a  nonhostile  work 
environment,  however,  AMD  does  delete  all 
spam  with  a  high  probability  of  containing 
adult  content.  But  all  other  spammy  mail  gets 
sent  along  to  users,  marked  as  suspected 
spam.  Users  then  decide  for  themselves 
whether  to  have  Outlook  filter  all  spam,  put 
it  in  a  spam  folder,  or  keep  it  in  their  inboxes 
for  manual  scanning  and  deletion. 

Now  that  spam  is  under  control  at  AMD, 
Smith  and  his  department  attained  the  same 
herolike  status  Kesner  enjoys.  “It’s  a  huge 
value  IT  has  delivered  to  the  company,  and  it’s 
been  huge,  positive  publicity  for  IT,”  he  says. 

Act  Now,  Think  Long-Term 

ike  Smith  at  AMD,  many  CIOs 
would  prefer  to  turn  to  the  same  ven¬ 
dor  for  all  of  their  e-mail  security 
services,  including  spam  filtering,  virus  pro¬ 
tection  and  denial-of-service  protection. 
“You  don’t  want  a  box  for  virus,  a  box  for 
spam,  a  box  for  content  filtering,  a  box  for 
something  else,”  agrees  Maurene  Caplan 
Grey,  a  research  director  at  Gartner.  “You 
want  as  few  boxes  as  possible,  and  you  want 
them  to  work  nicely  together  with  a  central 
console  for  monitoring.” 

But  you  shouldn’t  blindly  sign  up  for 
whatever  antispam  solution  your  current 
antivirus  provider  happens  to  have,  warns 
Meta’s  Cain.  He  maintains  that  the  spam 
offerings  of  many  antivirus  vendors  are  anti¬ 
quated  and  not  updated  often  enough  to 
keep  up  with  the  spam  threat.  Keeping  pace 


Learn  More  About  Spam  Blacklists 


The  Federal  Trade  Commission  is  one  organi¬ 
zation  using  blacklists  (or  blocklists)  to  keep 
spam  out  of  its  system.  To  find  out  how  it 
makes  use  of  SPAM  BLOCKING  SERVICES, 
read  the  online  exclusive  "Fighting  Spam  on  a 
Shoestring."  Go  to  www.cio.com/printlinks. 

cio.com 

with  spammers  has  become  a  full-time  job; 
some  antispam  outsourcers  update  their  rules 
daily,  hourly  or  even  more  often  if  need  be. 
Your  best  bet  is  to  invest  in  a  spam  cocktail 
approach  from  a  vendor  or  service  provider 
with  a  track  record  of  offering  frequent 
updates  (which  suggests  a  commitment  to 
staying  current  in  the  spam-antispam  arms 
race)  and  to  make  sure  that  it  does  not  con¬ 
flict  with  other  e-mail  security  services.  (Ide¬ 
ally,  all  e-mail  services  should  be  integrated.) 

While  more  than  90  antispam  vendors 
stand  ready  to  take  your  money  today,  the 
market  will  consolidate  to  about  a  dozen 
serious  contenders  by  mid-2004,  Grey  pre¬ 
dicts.  She  anticipates  that  the  dozen  antispam 
products  that  survive  will  be  about  equally 
effective,  catching  95  to  98  percent  of  spam 
with  an  0.5  percent  false  positive  rate,  even 
though  they  may  use  different  technologies 
to  filter  spam.  She  advises  choosing  a  ven¬ 
dor  that  supports  multiple  detection  meth¬ 
ods,  and  suggests  looking  at  the  extent  to 
which  vendors  are  using  adaptive  technolo¬ 
gies  (such  as  Bayesian  filtering)  that  learn 
about  spam’s  characteristics  and  can  take  a 
more  proactive  approach  to  blocking  it. 

Even  though  the  antispam  market  is  still 
maturing,  you  can’t  afford  to  wait  and  see 
how  things  will  shake  out.  “Spam  is  too 
horrible  a  problem — and  it’s  going  to  get 
more  malicious.  Two  years  ago,  spam  was  a 
little  annoyance.  If  you  had  a  blacklist  in 
place,  everything  was  OK.  That’s  not  the 
case  today,”  says  Grey.  “You  need  to  do 
something  right  now,  even  though  none  of 
this  is  completely  baked.”  BE] 


Senior  Editor  Alice  Dragoon  waded  through  some 
3,600  spams  while  reporting  this  story.  Write  to  her 
at  adragoon@cio.com.  But  don’t  put  "spam”  in  the 
subject  line  or  your  message  will  get  filtered.  Really. 
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Nerves  and  muscles  coordinate 
for  exceptional  physical  performance. 


Introducing  the  affordable  new  IBM  eServer  pSeries™  615. 

The  human  body  performs  exceptionally.  So  does  the  IBM  server 
line  for  UNIX®  The  new  IBM  eServer  pSeries  615  offers  110%  more 
performance  than  its  powerful  predecessor,  but  at  one-third  less 
starting  cost!  Prices  start  at  $5,745?  It  has  everything.  Fourth-generation 
POWER4+™  technology?  Yes.  Linux  ready?  Yes.  Autonomic  and 
self-healing  features?  Absolutely.  On  demand?  Of  course. 

eServer:  servers  for  on  demand  business. 

Can  you  see  it?  For  a  white  paper  on  why  POWER4+  and 
more  on  IBM  offerings  for  UNIX,  visit  ibm.com/eserver/p615 


'Performance  based  on  rPerf  (Relative  Performance)  results  of  2.50  for  a  1-way  p615  using  1.2GHz  POWER4+  processors  and  16GB  of  memory  vs.1.19  for  a  1-way  p610  using  450MHz  POWER3-II  processors 
and  8GB  of  memory.  rPerf  is  an  IBM  estimate  of  commercial  processing  performance.  Pricing  based  on  p615  Express  Configuration  with  1-way  1.2GHz  POWER4+  processor.  1 GB  memory  and  one  36.4GB 
disk  drive  at  $5,745  vs.  p610  Express  Configuration  with  1-way  450MHz  POWER3-II  processor,  1GB  memory,  CD-ROM  and  one  36.4GB  disk  drive  at  $8,895.  Both  Express  Configurations  include  AIX  license 
and  one  year  of  Software  Maintenance  for  AIX  Operating  Systems  (SWMA).  :For  p615  Express  Configuration.  U.S.  list  prices  are  current  as  of  6/23/03  and  are  subject  to  change  without  notice.  Reseller 
prices  may  vary.  IBM,  the  e-business  logo,  AIX,  eServer,  POWER4+  and  pSeries  are  trademarks  or  registered  trademarks  of  International  Business  Machines  Corporation  in  the  United  States  and/or  other 
countries.  UNIX  is  a  registered  trademark  of  The  Open  Group  in  the  United  States  and  other  countries.  Other  company,  product  and  service  names  may  be  trademarks  or  service  marks  of  others. 
©2003  IBM  Corporation.  All  rights  reserved. 


The  brain  is  partitioned  in  order  to  handle  multiple  functions. 
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Referenced  capabilities  not  available  on  all  models.  IBM  eServer  BladeCenter  and  xSeries  systems  require  optional  VMware'“  software.  For  BladeCenter,  VMware  support  is  provided 

by  VMware.  IBM,  the  e-business  logo,  eServer,  BladeCenter  and  xSeries  are  trademarks  or  registered  trademarks  of  International  Business  Machines  Corporation  in  the  United  States  * 

and/or  other  countries.  Windows  is  a  trademark  of  Microsoft  Corporation  in  the  United  States,  other  countries,  or  both.  UNIX  is  a  registered  trademark  of  The  Open  Group  in  the 
United  States  and  other  countries.  Other  company,  product  and  service  names  may  be  trademarks  or  service  marks  of  others.  ©2003  IBM  Corporation.  All  rights  reserved. 


Partitioned  to  run  multiple  applications  across  one  system.  On  demand 


Dur  minds  are  cleverly  organized.  Ditto  IBM  eServer.  IBM  eServer 
systems  offer  logical  partitioning  capabilities,  which  help  you 
andle  changing  business  requirements!  On  demand.  IBM  eServer 
systems  can  allow  you  to  leverage  your  server  investments  while 
clashing  costs.  You  can  share  resources  across  multiple  partitions 
jsing  virtual,  dynamic  technologies.  Which  means  you  can  harness 
jnused  capacity  at  an  impressive  rate.  Think  about  it. 


EServer:  servers  for  on  demand  business. 

Can  you  see  it?  See  it  at  ibm.com/eserver/ondernand 


Windows® 

Linux 

UNIX® 

Midrange 

Mainframe 

Blades 

Storage 


Vendor  Management 


Getting 
the  Best 


Vendors 


(What  Really  Works) 
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When  jeff  chasney  signed  on  a  few  years  ago 
as  CIO  of  Vicorp,  which  owns  the  Village 
Inn  family  restaurant  chain,  he  inherited  a 
contract  for  maintenance  of  point-of-sale  terminals  that 
had  “great,  low  rates.”  But  service  was  a  disaster.  When 
equipment  that  was  used  to  input  orders  to  the  kitchen 
malfunctioned,  it  wasn’t  repaired  promptly,  and  the 
downtime  resulted  in  lost  revenue. 

He  fired  the  vendor  and  put  the  contract  up  for  bid  again. 
To  his  surprise,  every  proposal  he  received  quoted  a  higher 


Reader  ROI 

►  Why  negotiating  a 
cheap  deal  isn’t  always 
in  your  best  interest 

►  How  to  set  the  tone  for 
negotiating  with  your 
vendors 

►  Why  it’s  important  to 
craft  an  SLA  that 
focuses  on  business 
objectives 


that  lowball  tactics  eventually  boomerang  into  poor  service  and  support. 


labor  rate  than  he  had  been  paying.  “While 
everyone  was  doing  high  fives  over  getting 
such  a  great  price,  we  had  put  [the  vendor] 
in  such  a  bind  it  was  impossible  for  them  to 
be  successful,”  Chasney  says.  He  agreed  to 
pay  the  next  contractor  more;  system  uptime 
improved  and  so  did  the  bottom  line. 

Chasney,  now  the  executive  vice  president 
and  CIO  with  CKE  Restaurants,  the  $1.3  bil¬ 
lion  franchisor  of  Hardee’s,  Carl’s  Jr.  and  La 
Salsa  restaurants,  says  he  always  looks  for 
“fair  deals,”  in  which  the  vendor  makes 
money  and  he  gets  value.  After  15  years  as  a 
CIO,  he’s  familiar  enough  with  vendors’  costs 
to  know  how  far  he  can  push  them  without 
hurting  himself. 

Yet  according  to  an  exclusive  CIO  sur¬ 
vey,  he’s  an  exception  rather  than  the  rule. 
Although  94  percent  of  the  118  IT  execu¬ 
tives  surveyed  make  the  effort  to  negotiate 
lower  fees,  that  kind  of  lowballing  generates 
precious  little  business  benefit.  Indeed,  the 
same  survey  found  that  for  nearly  two-thirds 
of  respondents,  squeezing  dollars  from  ven¬ 


dors’  fees  wasn’t  very  effective  at  adding 
business  value.  It  didn’t,  for  instance, 
make  employees  more  productive  or  gener¬ 
ate  new  business.  And  in  many  cases,  it 
boomeranged  into  poor  service  and  support. 
When  it  comes  to  relationships  with  ven¬ 
dors,  the  old  adage  still  applies:  You  get 


To  make  sure  he  gets  value 
from  his  vendors, 

Jeff  Chasney,  executive 
vice  president  and  CIO 
with  CKE  Restaurants, 
negotiates  detailed 
service-level  agreements 
that  spell  out  what  he’ll 
get  for  his  money. 
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what  you  pay  for. 

“If  you  get  the  lowest 
cost  and  that  hurts  the  ven¬ 
dor,  you  will  suffer,” 

Chasney  says. 

To  make  sure  he  gets  what 
he  pays  for,  Chasney  negoti¬ 
ates  detailed  service-level 
agreements  (SLAs)  that  spell 
out  what  he’ll  get  for  his 
money.  And  in  fact,  what 
does  add  value,  according  to 
the  survey  respondents,  is 
crafting  airtight  contracts 
that  balance  toughness  with 
fairness.  Fifty-four  percent  of 
those  surveyed  give  high 
marks  to  the  effectiveness  of 
comprehensive  SLAs.  The 
more  specific  the  SLA,  the 
better,  CIOs  say  in  inter¬ 
views,  so  that  both  you  and 
your  contractors  agree  about 
what  they  have  to  deliver 
and  when,  and  how  much  it’s 
going  to  cost. 

“You  should  avoid  the  ten¬ 
dency  to  take  the  last  nickel 
off  the  table,”  says  Wayne 
Bennett,  an  attorney  with  law 
firm  Bingham  McCutchen 
who  negotiates  IT  contracts.  “When  push  comes  to  shove,  there 
are  things  that  will  go  wrong  with  a  project,  and  you’re  going  to 
have  to  have  a  discussion  about  how  to  right  this  ship.  That  dis¬ 
cussion  will  be  colored  by  whether  there  is  anything  left  in  this 
deal  for  the  vendor.” 

THE  HASTA  LA  VISTA  BLUFF 

MffljjWMg  hese  days,  any  customer — but  especially  a  big  cus¬ 
tomer — can  throw  its  weight  around.  It’s  easy 
when  the  economy  is  still  in  the  doldrums  and  so 
many  vendors  are  chasing  so  few  corporate  IT 
dollars.  Besides,  says  Chasney,  most  products  and 
services  are  priced  for  haggling.  Buying  a  million- 
dollar  database?  “I  know  there  are  [vendors]  that  put  a  system 
in  for  free  to  get  rid  of  competitors,”  he  says.  “The  cost  to  them 
to  create  five  more  CDs  and  another  set  of  books  is  less  than 
$1,000.  The  bang  for  them  [is]  in  the  maintenance  fees.” 

In  addition,  plenty  of  CIOs  are  under  orders  to  keep  down 
costs  in  the  short  term.  Meeting  budget  numbers  for  the  quar¬ 


ter,  or  the  year,  may  take 
precedence  over  maximizing 
value.  And  there  is  some 
value  to  negotiating  lower 
prices.  During  the  tech 
boom,  some  CIOs  bought 
too  much  and  are  now  stuck 
with  equipment  and  soft¬ 
ware  that  they  no  longer 
need.  There’s  little  point 
in  paying  full  freight  for 
something  you’re  not  using, 
such  as  software  licenses. 
Reopening  a  long-term  con¬ 
tract  may  be  an  option,  but 
it  isn’t  easy,  says  Phil 
Bertolini,  director  of  infor¬ 
mation  technology  with 
Oakland  County,  Mich.  You 
have  to  be  willing  to  walk 
away  from  the  contract  alto¬ 
gether  if  the  vendor  won’t 
renegotiate.  And  breaking 
a  software  or  hardware 
contract  may  involve  paying 
penalties,  and  you’ll  proba¬ 
bly  have  to  shoulder  the 
cost  of  maintaining  systems 
yourself. 

The  CIO  for  a  large  man¬ 
ufacturer  of  high-tech  equip¬ 
ment  bought  several  thousand  licenses  for  an  ERP  system  from 
SAP  in  the  late  ’90s  and  never  used  them  all.  Now  he  has  one- 
third  fewer  users,  only  a  couple  of  hundred  of  which  are  active 
at  any  one  time.  The  CIO  wanted  to  quit  paying  the  mainte¬ 
nance  fee  for  the  idle  seats  and  got  SAP  to  slash  $1  million  from 
his  annual  bill.  During  the  negotiations,  the  CIO  decided  he 
would  kill  the  entire  contract  if  necessary  and  take  on  system 
maintenance  himself.  Walking  away  from  the  deal  would  also 
mean  forgoing  upgrades.  “We  were  prepared  to  say  we’d  live  at 
this  level,  knowing  we  would  be  shooting  ourselves  in  the 
foot,”  he  says. 

In  bargaining  down  his  maintenance  fees,  the  CIO  did  make 
a  trade-off  in  favor  of  the  vendor:  He  agreed  not  to  lock  in  the 
rate  he’ll  pay  on  licenses  he  reactivates.  Locking  in  rates  or 
rate  increases  for  maintenance  fees  per  license  is  one  way  CIOs 
are  able  to  keep  their  costs  low  and  predictable.  By  giving  up 
a  long-term  negotiated  rate  per  license,  the  CIO  essentially 
gave  his  vendor  permission  to  charge  him  higher  maintenance 
fees  in  the  future.  “We’ve  started  hiring  again,  and  we  may 
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KEEPING  ON  BUDGET 

I 


U.S.  Navy  imagery  used  in  illustration  without  endorsement  expressed  or  implied. 


Unbiased.  Experienced. 

The  Naval  Air  Systems  Command  wanted  to  streamline  financials  and  cut 
the  delivery  time  of  everything  from  fighter  jets  to  cruise  missiles.  But  that 
meant  replacing  more  than  IOO  separate  systems  in  126  sites  with  a  single 
global  solution.  And  that’s  not  easy  to  do  while  you're  also  trying  to  keep 
the  U.S.  Navy  prepared  to  meet  any  challenge. 

That’s  where  BearingPoint  came  in. 


We  built  a  solution  that  allows  NAVAIR  to  track  and  transfer  funds  around 
the  globe  in  real  time  —  cutting  the  approval  process  from  weeks  to 
minutes  and  speeding  the  delivery  of  aircraft,  weapons  and  other  critical 
equipment.  They’re  the  kind  of  results  you  can  achieve  when  you  choose  a 
partner  that  puts  your  success  ahead  of  its  own. 

A  partner  without  bias. 


A  partner  like  BearingPoint. 


Find  out  how  we  can  help  you.  Visit  bearingpoint.com. 


BearingPoint 


CONSULTING  ♦  SYSTEMS  INTEGRATION  ♦  MANAGED  SERVICES  Business  and  Systems  Aligned.  Business  Empowered. 


Vendor  Management 


have  increased  costs  in  the  future,”  says 
the  CIO.  But  the  renegotiations  enabled 
him  to  save  money  now  and  continue  to 
have  SAP  support  his  ERP  system. 

Even  when  a  deal  is  for  a  commodity 
such  as  a  PC  or  telecom  services,  you  have 
to  think  about  factors  such  as  maintenance 
and  replacement  costs.  Is  the  vendor  that 
sold  you  those  servers  at  a  rock-bottom 
price  going  to  replace  them  if  they  turn  out 
to  be  lemons?  And  if  not,  how  much  is  that 
going  to  cost  you  later? 

Several  years  ago,  Sandra  Hofmann,  CIO 
with  ERP  vendor  Mapics,  chose  a  low-price 
vendor  to  supply  videoconferencing  services, 
only  to  have  that  company  bought  soon  after 
by  the  larger,  higher  priced  competitor  she 
had  rejected.  Although  the  new  vendor  honored  the  original  con¬ 
tract  terms,  it  decided  not  to  continue  supporting  the  original  ven¬ 
dor’s  product,  so  Hofmann  had  to  switch  when  her  agreement 
expired.  Then  she  had  to  retrain  users  on  the  new  software. 

“Having  to  relaunch  any  service,  even  with  minor  changes, 
means  that  I’m  not  as  efficient,”  she  says.  While  Hofmann 
still  tries  to  pay  as  little  as  she  can,  she  learned  that  hiring  the 


lowest-cost  vendor  is  risky  because  it 
may  not  be  as  financially  stable.  “It  may 
be  a  reasonable  trade-off,  but  it  should 
be  done  consciously.” 

Frank  Enfanto,  vice  president  of  opera¬ 
tions  delivery  and  information  security 
with  Blue  Cross  Blue  Shield  of  Massa¬ 
chusetts,  cautions  that  if  a  vendor  wants 
your  business  badly  enough,  it’ll  promise 
anything.  He  recalls  a  recent  negotiation 
to  consolidate  his  company’s  telecommu¬ 
nications  services  with  one  vendor  out  of 
the  three  companies  it  had  been  using. 
Enfanto  says  he  settled  on  the  vendor  that 
he  was  confident  could  match  the  price  he 
wanted  and  still  maintain  the  service 
levels  he  required.  When  he  notified  the 
two  other  competitors  of  his  decision,  one  of  them — a  large, 
national  provider — asked  for  another  shot  at  the  contract. 
“They  told  me  they  were  holding  back”  and  could  beat  the 
prices  they  had  originally  offered,  says  Enfanto.  But  he  won¬ 
dered  if  that  vendor  would  really  deliver  the  same  service  lev¬ 
els  and  terms  at  the  lower  price.  Because  of  his  suspicions,  he 
didn’t  reconsider  his  decision. 


MANY  OF  THE 

most  effective 
contracting 
practices  link 
vendor  payments 
to  performance 
through  detailed 
service-level 
agreements. 


to  Maximizing  Vendor  Value 


Experienced 


oney 


IDo  your  homework. 

If  you  can’t  define  the 
results  you  want  and  how 
you  plan  to  measure  them,  your 
vendor  won’t  be  able  to  either. 
Involve  the  business  in  helping 
you  to  determine  the  perform¬ 
ance  levels  you’ll  require  from 
the  contract.  When  you  do  set 
down  your  expectations,  ven¬ 
dors  will  hold  you  to  them. 
“They  expressly  list  your 
assumptions  in  the  contract,” 
notes  Wayne  Bennett,  a  partner 
with  law  firm  Bingham 
McCutchen.  “The  price  is  based 
on  what  you  told  me." 


2  Know  your  adversary. 

Anyone  who’s  ever  hag¬ 
gled  for  a  car  knows  the 
key  to  a  good  deal  is  under¬ 
standing  the  dealer’s  cost. 
Same  goes  for  buying  IT.  If  you 
know  what  it  costs  your  vendor 
to  provide  a  product  or  service, 
you’ll  know  whether  you’re  pay¬ 
ing  a  fair  price.  Keep  in  mind:  All 
contract  negotiations  are  not 
the  same,  and  a  fair  deal  for 
packaged  software  isn’t  the 
same  as  one  to  integrate  your 
customer  databases. 


Play  the  first  card. 

“The  first  draft  of  an  SLA 
should  come  from  me," 
says  Phil  Bertolini,  director  of 
information  technology  with 
Oakland  County,  Mich.  That  sets 
the  tone  for  the  negotiation  and 
defines  the  playingfield.  Ven¬ 
dors  always  push  back.  Usually, 
they  want  to  haggle  over  prices, 
Bertolini  says,  ratherthan 
whetherthey’ll  deliver  what  you 
ask  for. 


4  Talk,  and  talk  some 
more.  No  matter  how 
well  you  and  your  vendor 
understand  each  other,  there 
will  always  be  disputes  about 
whether  a  vendor  has  delivered 
the  goods.  You  can  head  the 
contractor  off  with  regular 
meetings  to  assess  perform¬ 
ance  and  reaffirm  expectations. 
"You  and  I  can  sit  and  agree 
we’re  headed  toward  that  red 
barn,  but  if  you’re  color  blind, 
you  don’t  see  red  the  same  way  I 
do,"  says  Sandra  Hofmann,  CIO 
with  Mapics.  So  she  incorpo¬ 
rates  a  process  for  resolving 
problems  into  SLAs.  -£.  V. 
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You  did  everything  right,  but... 


If  your  IT  spending  isn't  aligned  with  the  business  strategy, 

you've  failed  the  company. 


Your  job  has  moved  beyond  just  technology — you 
need  to  embrace  your  company's  overall  business 
objectives.  Primavera  can  help.  For  20  years,  we've 
been  working  toward  the  ultimate  project  portfolio 
management  solution. 

Our  software  helps  you  prioritize  your  entire  project 
portfolio,  so  you  can  optimize  people,  projects,  and 
processes  to  stay  focused  on  business  goals. 


We  saved  a  Fortune  1 00  company  $1  5  million 
in  nine  months.  How  much  can  we  save  you 1 

To  estimate  your  company's  potential  savings  with 
our  convenient  online  ROI  Calculator,  visit: 

www.primavera.com/ppm 


i 


Vendor  Management 


GETTING  VALUE  WITH  VOLUME 

hat  you  want,  of  course,  is  value  for  your 
money.  The  best  way  to  achieve  that  is  to 
keep  contract  negotiations  focused  on  the 
business  benefits  of  the  deal  and  whether 
you’re  paying  enough  to  achieve  them.  One 
of  the  most  popular  contracting  practices  in 
the  CIO  survey — and  the  top-ranked  practice  for  generating 
business  value — was  consolidating  vendors  for  volume  dis¬ 
counts.  This  practice,  used  by  72  percent  of  survey  respondents, 
offers  vendors  the  opportunity  for  additional  sales  at  the  same 
time  as  it  allows  CIOs  to  lower  their  per-user  costs.  Meanwhile, 
according  to  the  survey,  many  of  the  other  contracting  practices 
CIOs  say  are  most  effective  at  generating  business  value  link  ven¬ 
dor  payments  to  performance  through  service-level  agreements 
or  other,  similar  provisions.  Such  practices  require  customers 
and  vendors  alike  to  constantly  evaluate  whether  what  the  cus¬ 
tomer  is  paying  is  realistic  to  support  the  work  that  is  expected. 

CIOs  say  consolidation  decisions  should  be  driven  as  much — 
if  not  more — by  business  needs  as  price  if  you  expect  dividends 
beyond  cost-cutting.  When  Oakland  County,  Mich.,  wanted  to 
install  a  geographical  information  system  from  ESRI,  a  major 
vendor  of  GIS  mapping  software,  the  county  got  the  vendor  to 
agree  to  a  bulk  purchasing  deal  that  included  62  of  its  munici¬ 
palities.  The  county  and  its  cities  were  able  to  deploy  a  single 
system  for  about  one-third  of  what  it  would  have  cost  to  have 
each  jurisdiction  make  separate  investments. 

The  deal  provided  a  predictable  benefit  for  ESRI:  The  com¬ 


pany  sold  more  licenses  than  it  would  have  if  each  cash-strapped 
municipality  had  to  make  its  own  investment  to  develop  and 
deploy  the  technology.  Bertolini  figures  many  of  the  smaller  vil¬ 
lages  in  the  county  wouldn’t  have  made  the  investment  at  all, 
and  those  that  did  make  the  purchase  might  not  have  picked 
compatible  systems.  With  each  community  using  the  same  sys¬ 
tem,  county  and  city  officials  are  able  to  coordinate  their  deliv¬ 
ery  of  services  in  ways  they  never  could  before. 

This  summer,  the  county  used  the  system  to  provide  the 
municipalities  with  information  about  the  occurrence  of  West 
Nile  virus  that  local  officials  relied  on  to  make  their  mosquito 
spraying  decisions.  Armed  with  data  about  the  extent  of  the 
problem,  the  county  was  also  able  to  provide  money  for  spray¬ 
ing  to  cities  that  needed  it.  As  of  mid-September,  Oakland 
County  had  reported  no  human  cases,  but  the  presence  of  the 
virus  was  confirmed  in  two  birds  and  three  mosquito  pools, 
according  to  the  Oakland  County  Health  Division. 

LINKING  PAY  TO  RESULTS 

o  matter  how  good  a  volume  pricing  deal  you’re 
able  to  negotiate,  however,  it  may  be  hard,  if  not 
impossible,  to  realize  the  full  benefits  of  an  IT 
investment  without  defining  the  performance  you 
expect  for  your  money.  Christopher  Feola  is  vice 
president  of  technology  with  Belo  Interactive,  a 
division  of  the  $1.4  billion  media  conglomerate  Belo  Corp.  Feola 
once  contracted  with  a  well-known  software  vendor  to  build  a 
40-seat  pilot  project  for  a  messaging  system  that  would  support 

group  collaboration.  If  the  pilot  were  suc¬ 
cessful,  Feola  says,  his  parent  company 
intended  to  purchase  seats  for  9,000  users. 
But,  instead,  it  turned  out  to  be  a  failure, 
and  Feola  and  Belo  ended  up  scrapping  the 
project  altogether. 

The  vendor,  he  says,  put  its  efforts  into 
designing  a  system  that  would  work  on  an 
enterprisewide  scale  instead  of  just  in  the 
test  environment.  As  a  result,  the  vendor 
was  never  able  to  focus  on  Belo 
Interactive’s  requirements  for  the  smaller- 
scale  pilot  that  the  parent  company  was 
relying  on  to  demonstrate  ROI.  The  sys¬ 
tem  never  worked.  The  lesson,  says  Feola, 
is  that  it  often  takes  more  than  a  guaran¬ 
tee  of  future  sales  to  get  a  vendor  to  fulfill 
its  promises.  In  retrospect,  he  says,  he 
would  have  made  sure  the  vendor  was 
committed  to  the  same  vision  of  the  proj¬ 
ect  that  he  had.  A  comprehensive  SLA  is  a 
good  way  to  do  that. 


What  You  Do  Versus  What  Works 

WHAT  YOU’RE  DOING 

,  -  .  : 

WHAT  YOU  SAY  WORKS 

negotiate  lower  fees... 

Slit  on'y  ^8%  Pract'ce  effective 

^  A  apply  penalties  for  failing 

OO/hl  to  meet  SLA  performance 
agreements... 

Blit  only  39%  find  the  practice  effective  ^ 

"7^0/  consolidate  vendors  for 
/  L  /U  volume  discounts... 

BUt  58%  find  the  practice  effective 

ONLY 

^  Jl 0/  craft  SLAs  focused  on 
/if  business  objectives... 

Ollt  54%  find  the  practice  effective 
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HOW  CLOSE  ARE  YOU  TO  THE 
NEXT  GENERATION  OF  NETWORKING? 

THE  ANSWER  IS  JUST  BENEATH  THE  SURFACE 


Within  your  desktops,  notebooks,  switches  and  servers  are  chips  enabling  your  business  to  operate  in  real  time,  delivering  Gigabit 
speed  both  reliably  and  securely.  When  the  top  10  computer  and  networking  equipment  brands  need  unsurpassed  performance, 
they  turn  to  us.1  Broadcom®  chips  are  two  to  three  times  faster  than  the  closest  competitor’s  in  delivering  network  throughput  on 
your  demanding  applications.2  Whether  you’re  wired  or  wireless,  networking  hardware  built  with  Broadcom  technology  ensures  the 
devices  you  use  today— as  well  as  those  you  add  tomorrow— will  connect  easily  and  seamlessly  across  air,  fiber  and  copper. 


Learn  how  building  upon  Broadcom®  chips  end-to-end 
can  provide  you  with  faster  network  performance. 
Download  the  first  two  chapters  of  our  new  e-book 
“Architecting  Next-Generation  Networks”  now  at 

www.cio.gobroadcom.com/ebook 
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A  major  reason  why  SLAs  are  so  effective, 
says  Mohanbir  Sawhney,  McCormick 
Tribune  professor  of  technology  with 
Northwestern  University’s  Kellogg  School  of 
Management,  is  that  they  align  the  business 
goals  of  both  the  customer  (who  wants  the 
ROI)  and  the  vendor  (who  wants  to  get 
paid).  Most  CIOs  use  SLAs  to  define  per¬ 
formance  for  services  such  as  maintenance, 
operations  and  software  development. 

Sawhney  thinks  the  concept  ought  to  be 
extended  to  whether  a  customer  gets  any 
value  from  deploying  packaged  software. 

Say  you  deploy  a  new  call  center  application 
to  improve  customer  service.  Most  CIOs, 

Sawhney  says,  would  pay  the  vendor  based 
on  traditional  metrics  such  as  system  uptime 
or  how  long  it  takes  the  vendor  to  fix  a  problem.  But  the  business 
value  of  the  application  is  to  improve  customer  service,  and 
Sawhney  thinks  the  vendor  should  be  paid  based  on  whether  that 
goal  is  achieved.  Does  the  software  help  you  respond  more  quick¬ 
ly  to  customers?  Have  your  customer  satisfaction  rates  improved? 

“The  way  traditional  software  license  pricing  works  is  com¬ 
pletely  screwed  up,”  he  says.  “The  vendor  gets  paid  up  front 
before  any  benefits  are  realized.”  No  wonder  CIOs  complain. 

Bingham  McCutchen’s  Bennett  says  he’s  seen  an  increase  in 
such  SLAs.  But  holding  vendors  accountable  for  achieving  a 
business  result  like  higher  customer  satisfaction  rates  isn’t  easy, 
admits  Sawhney.  There’s  more  to  the  success  of  a  software 
deployment  than  whether  the  product  works  as  advertised, 
including  whether  employees  use  it.  For  this  reason,  “vendors 
will  not  voluntarily  do  this,”  Sawhney  says.  That’s  one  likely  rea¬ 
son  why  although  54  percent  of  survey  respondents  say  using 
SLAs  that  are  based  on  business  metrics  rather  than  technical 
measures  is  an  effective  way  to  obtain  value,  only  34  percent 
actually  engage  in  this  practice. 

Nevertheless,  savvy  CIOs  agree  SLAs  ought  to  derive  from 
your  definition  of  business  value  for  the  deal.  “You  need  to 
explain  to  [vendors]  what  you’re  trying  to  achieve,”  says 
Hofmann,  and  show  them  how  the  work  they’re  doing  con¬ 
tributes.  “If  a  vendor  is  not  meeting  commitments  established  in 
the  service-level  agreement,  that  impacts  how  much  value  I’m 
going  to  be  able  to  deliver.” 

Sometimes  focusing  on  value  may  even 
lead  to  higher  costs,  but  that’s  not  neces¬ 
sarily  a  bad  thing.  Almost  two-thirds  of 
survey  respondents  who  negotiate  SLAs 
with  vendors  say  they’ll  continue  using 
this  practice,  even  though  it  doesn’t  often 
save  money.  If,  as  part  of  an  SLA,  you  ask 


LINKING 

vendors’  pay  to 
success  in  getting  a 
system  up  and 
running  on  time  is 
not  enough.  You 
should  also  hold 
them  accountable 
for  achieving  a 
business  result  like 
higher  customer 
satisfaction. 


Read  the  Vendor  Value  Survey 


What  vendor  management  practices  do  your 
peers  use?  And  which  of  these  do  they  actu¬ 
ally  find  effective?  Read  the  full  results  of  the 
exclusive  CIO  survey  Getting  Value  from  IT 
Vendors  online  at  www2.cio.com/research, 
and  learn  how  to  craft  better  SLAs  yourself. 

cio.com 


a  vendor  to  customize  a  service  to  address 
a  business  need,  you  shouldn’t  be  surprised 
if  the  vendor  wants  to  charge  you  more, 
observes  Blue  Cross  Blue  Shield’s  Enfanto. 
If  you  don’t  want  to  shoulder  the  extra 
expense,  you  have  to  be  less  demanding. 

Before  he  negotiates  an  SLA,  Enfanto 
sits  down  with  business  managers  and 
pushes  them  to  define  their  expectations 
for  the  contract,  such  as  how  quickly  they 
need  a  system  repaired  if  it  crashes.  Their 
needs  drive  the  negotiations,  and  part  of 
Enfanto ’s  role  is  to  educate  them  about  the 
trade-offs  between  cost  and  value.  “More 
and  more,  our  IT  budgets,  especially  proj¬ 
ect  budgets,  are  controlled  by  the  busi¬ 
ness,”  he  says.  While  they  may  be  willing 
to  pay  more  for  a  critical  benefit,  Enfanto  doesn’t  always  tell  the 
vendor  that.  He  may,  for  instance,  tell  the  vendor  it  could  lose 
business  to  a  cheaper  competitor,  even  though  the  competitor 
may  not  be  providing  all  the  functionality  business  users  want. 
But  he  doesn’t  push  too  far.  “I  make  a  value  judgment  about 
how  much  this  [contract]  is  going  to  cost  them,”  he  says. 

For  vendors,  meeting  the  commitments  they  agree  to  in  an  SLA 
has  an  impact  on  their  business  beyond  getting  paid  for  their  serv¬ 
ices.  For  one  thing,  there’s  always  potential  for  repeat  business  if 
the  deal  goes  well  and  for  angry  customers  if  it  doesn’t.  If  a  ven¬ 
dor  isn’t  performing  according  to  the  SLA,  “I  have  to  manage 
them  a  whole  lot  more,  and  the  more  time  I  spend  managing,  the 
less  business  value  I  get  out  of  them,”  Bertolini  says. 

No  matter  how  conscientious  the  vendor  is,  however,  crafting 
a  good  SLA  and  making  it  stick  is  hard  work.  There’s  no  such 
thing  as  too  much  detail,  says  Chasney  of  CKE  Restaurants. 
“Everything  should  be  spelled  out  on  paper,  so  there’s  no  room 
for  either  side  to  misinterpret  the  agreement,”  he  says.  But  no 
matter  how  airtight  the  contract,  no  relationship  with  a  vendor 
is  trouble  free.  Whether  you’re  able  to  navigate  those  disputes 
depends  on  how  well  you  understand  the  value  to  both  you  and 
your  vendor. 

The  bottom  line?  You  want  a  good  deal.  And  you’ll  get  one  by 
letting  your  vendor  keep  his  wallet.  If  a  vendor  isn’t  willing  to  be 
held  accountable  for  performance,  concludes  Bertolini,  “you 

have  to  wonder  if  [you]  can  do  business 
with  them.  Obviously,  if  a  vendor  sits 
down  at  the  table  with  me  and  I  reach 
across  to  choke  them,  they’re  not  going  to 
do  business  with  me.”  BE] 


What  do  you  do  to  get  a  fair  deal?  E-mail  Senior 
Editor  Elana  Varon  at  evaron@cio.com. 
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©2003  EDS.  EDS  is  a  registered  mark  and  the  EDS  logo  is  a  trademark  of  Electronic  Data  Systems  Corporation. 


Introducing  the  next  generation  of  desktop  services. 

Because  one  size  never  fits  all  in  the  real  world. 

Light  users  rarely  need  every  service  and  application  they  get.  Heavy  users  often  need 
more.  With  EDS'  myCOESM  desktop  solution,  users  can  get  exactly  what  they  need, 
when  they  need  it.  This  revolutionary  solution  leverages  new  automated  deployment 
technologies,  and  enables  greater  control  over  IT  costs,  fit-for-purpose  flexibility  and 
any-to-any  portal  access.  For  the  enterprise  that  wants  to  optimize  both  agility  and  costs, 
it's  a  perfect  fit.  Visit  eds.com  or  call  800  566  9337. 


Q&A  |  Robert  Kaplan  and  David  Norton 

trategy  i  n  Action 

Strategy  isall  about  creating  value  for  your  shareholders^ 

BY  CHRISTOPHER  KOCH 


/ 


trategy  is  afbtalk,  no  action.  Every  company  is  cer¬ 
tain  it  has  a  rock-solid  strategy  (see,  it’s  right  there  in  the  company 
newsletter!).  But  going  from  paper  to  execution  is  where  most  compa¬ 
nies  fail— nine  out  of  10,  to  be  exact,  according  to  Robert  Kaplan  and 
David  Norton,  who  in  1990  developed  the  Balanced  Scorecard  con¬ 
cept— a  set  of  measures  to  track  customers,  internal  processes,  learning 
and  growth.  Kaplan  and  Norton\started  with  metrics,  but  they  have  been 
gradually  working  their  way  up  toward  the  ethereal  realm  of  strategy. 
They’ve  made  the  trip  slowly  and  deliberately,  using  the  cultlike  group 
of  followers  and  customers  (Kaplan  and  Norton  are  happy  to  help  you 
with  your  strategy)  that  has  coalesced  around  the  Balanced  Scorecard. 

There  is  very  little  that  is  new  in  Kaplan  and  Norton’s  ideas— you  hear 
the  competitive  advantage  themes  developed  by  strategy  guru  Michael 
Porter  in  the  '80s  angLthe  value  disciplines  pushed  by  Michael  Treacy 
and  Fred  Wiersema  in  the  ’90s.  But  the  good  news  about  Kaplan  and 
Norton  is  that  they  have  created  a  continuum  from  the  lowest-level 
measures  of  the  Balanced  Scorecard  to  the  highest  precepts  of  business 
strategy.  They  call  this  top-to-bottom  approach  the  strategy  map  and 
have  outlined  it  in  their  third  book,  Strategy  Maps,  which  is  due  out  in 
February  2004.  Executive  Editor  Christopher  Koch  sat  down  with 
Kaplan,  Harvard  Business  School  professor  and  chairman  of  the  Bal¬ 
anced  Scorecard  Collaborative  (BSC),  and  Norton,  president  of  BSC, 
to  discuss  strategy  and  its  link  to  IT. 


rrif  ,  |  , 

That  s  not  a  strategy;  that  s  a 


CIO:  Some  CIO  readers  are  skeptical  of 
strategy.  Give  me  an  example  of  a  company 
whose  business  strategy  wasn’t,  “We  are 
going  to  be  number  one  in  our  market, 
Robert  Kaplan: 


prayer.  [Laughs.]  Strategy  is  really  about  posi¬ 
tioning  yourself  and  differentiating  yourself — 
what  is  going  to  make  you  different  from  or 
better  than  competitors.  Just  a  vague  state¬ 
ment  about  being  number  one  is  not  a  strategy. 
It’s  not  saying  what’s  the  strategic  value 
proposition  you  are  offering  your  customers. 


-  :  '  - 


Well,  GE  is  lauded  for  its  strategy,  but  its 
strategy  boils  down  to  “We  will  be  number 
one  or  two  in  our  markets,  or  we  will  get  out.” 
David  Norton: 


Being  number  one  or  number  two 
in  a  market  is  an  objective;  it’s  not  a  strategy.  Strat¬ 
egy  is  how  you  intend  to  do  those  things.  I  think 
that  most  organizations  have  strategies.  Skeptics 
say,  “We  don’t  have  a  strategy,”  but  what  they’re 
really  saying  is,  “I  don’t  understand  the  strategy. 
It  hasn’t  been  communicated  to  me  in  a  way  that 
I  can  understand.” 

If  you  want  to  describe  the  financial  status  of 
the  company,  you  build  an  income  statement  and 
a  balance  sheet,  and  everyone  understands  it.  But 
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A  strategy  map  is  your  guide  to  getting  there. 


Even  when  a  company  has 
a  strategy,  executives  don’t 
know  how  to  communicate  it 
and  get  consensus  on  it.  That’s 
where  a  strategy  map  can  help, 
say  Robert  Kaplan  (standing), 
chairman  of  the  Balanced 
Scorecard  Collaborative,  and 
David  Norton,  president  of 
the  collaborative. 


Q&A  |  Robert  Kaplan  and  David  Norton 


if  you  want  to  describe  your  business  strategy, 
there  is  no  general  way  to  do  that.  So  as  a 
result,  executives,  even  when  they  have  a 
strategy,  can’t  really  communicate  it  to  their 
peers  and  get  consensus  on  it,  and  they  have 
no  hope  of  communicating  it  to  the  thou¬ 
sands  of  people  who  work  for  them. 

And  that’s  where  the  idea  of  the  strategy 
map  comes  into  play. 

Define  a  strategy  map. 

Norton:  A  strategy  map  is  a  model  of  how 
an  organization  creates  value.  Strategy  is 


how  you  intend  to  create  value  for  your 
shareholders.  The  “how”  is  different  for 
every  organization.  The  strategy  map  at 
the  highest  level  defines  the  shareholders’ 
objectives  for  long-term  value,  for  growth 
and  for  productivity.  The  second  level  of 
the  strategy  map  has  to  do  with  the  cus¬ 
tomer  and  a  value  proposition.  If  you’re 
going  to  please  your  shareholder  by  grow¬ 
ing,  you  have  to  appeal  to  a  unique  value 
proposition  of  price,  quality,  relationship, 
brand  and  so  forth.  So  the  strategy  then 
forces  you  to  be  very  clear  about  segment¬ 
ing  the  market,  understanding  your  cus¬ 
tomers  and  what  they  want. 

Then  the  third  level  defines  the  processes 


you  are  going  to  emphasize  to  satisfy  that 
customer.  So  how  am  I  going  to  innovate 
and  build  new  products?  How  am  I  going 
to  manage  the  customer  interface?  How  am 
I  going  to  build  and  deliver  the  products? 
How  am  I  going  to  function  as  a  positive 
member  of  the  community — what  are  my 
social  responsibilities? 

Finally,  the  foundation  is  the  people,  the 
technology  and  the  organizational  climate — 
the  intangible  assets.  So  it’s  really  defining 
the  logic  of  how  you  will  go  about  finding 
the  skills  and  technologies  you  need  to  sup¬ 


port  a  process  that  is  going  to  create  new 
products  that  are  going  to  satisfy  a  customer 
and  create  profit  for  the  shareholder. 

Give  me  an  example  of  a  company  that 
has  made  good  use  of  the  strategy  map. 
Kaplan:  Let’s  use  Mobil  [a  Balanced 
Scorecard  client]  as  an  example.  At  the 
highest  level,  they  have  their  mission  state¬ 
ment:  to  offer  the  number-one  buying 
experience  for  consumers  when  they  pur¬ 
chase  gasoline.  The  next  level  would  be 
the  vision:  to  become  the  most  profitable 
integrated  oil  and  gas  refining  marketing 
company.  The  specifics  when  you  get  in 
the  financial  perspective  are,  We  will  grow 


revenue  2  percent  faster  than  the  industry 
average.  Second,  we  will  get  an  increasing 
share  of  our  revenue  from  nongasoline 
products  and  services.  Now  you’re  getting 
very  specific. 

The  customer  piece  is,  We  will  be  the 
number-one  station  of  choice  for  customers 
in  these  three  targeted  segments  who  value  a 
great  buying  experience.  And  that’s  already 
a  choice  because  it  says,  in  effect,  We’re 
going  to  charge  higher  prices,  and  we’re  not 
going  to  appeal  to  the  price-sensitive  cus¬ 
tomer  because  we’re  going  to  offer  the  best 
buying  experience  for  those  segments  of  the 
population  who  value  not  just  the  purchase 
of  the  gasoline  but  also  quick  service,  quick 
purchase  and  a  quick  payment.  Then  you 
get  to  measures,  which  pick  up  on  how  well 
you  are  delivering. 

At  what  point  in  this  strategy  map  did 
Mobil  bring  in  IT? 

Kaplan:  Part  of  getting  that  fast,  friendly 
buying  experience  at  Mobil  is  that  every 
gasoline  pump  at  a  Mobil  station  has  to 
have  technology  at  the  pump — a  credit 
card  reader.  Then  someone  got  the  idea 
that  you  could  do  better  than  a  credit  card. 
You  could  have  a  Speedpass  embedded  in  a 
key  chain  that  the  customer  waves  at  the 
pump.  That  was  using  IT  for  competitive 
advantage.  That  differentiated  the  buying 
experience. 

They  have  another  objective,  which  is  to 
have  the  lowest  refinery  operating  costs  in 
the  industry.  So  they  have  technology  related 
to  process  improvement,  the  best  monitor¬ 
ing  systems  in  refineries  and  also  feedback 
for  people  as  they  improve  their  processes  to 
lower  the  cost.  They  were  actually  able  to 
work  out  how  technology  will  help  them 
implement  their  strategy. 

So  it’s  possible  to  map  IT  to  your  business 
strategy.  Let’s  say  a  company  is  trying  to 
compete  by  being  low  cost,  like  a  Wal-Mart 
or  Costco.  There  the  information  technol¬ 
ogy  resource  should  be  offering  customers 
easy  ways  of  buying,  it  should  offer  the  com¬ 
pany  easy  ways  of  connecting  with  suppli¬ 
ers  to  lower  their  cost  of  acquisition,  and  the 


The  strategy  map  enables  you 
to  woncdown  from  the 
kinds  of  value  proposition  that  you’re 
offering  your  customers  to 
the  critical  investments  in  IT  and 
human  resources  that 
will  best  support  your  ability  to  position 
yourselfpimttae  marketplace. 

-ROBERT  KAPLAN 
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Q&A  |  Robert  Kaplan  and  David  Norton 

company  should  also  offer  ways  for  employ¬ 
ees  to  improve  processes  and  strive  for  Six 
Sigma  process  improvements — all  of  which 
support  a  low  total-cost  strategy. 

If  you’re  working  for  a  pharmaceutical 
company  trying  to  become  a  product  leader 
by  coming  up  with  new  treatments  and  new 
drugs,  then  the  IT  that’s  most  valuable  for 
that  would  be  virtual  prototyping.  Or  if 
you’re  an  automobile  company,  it  would  be 
simulation  crash  tests. 

Those  are  three  very  different  strategies, 
and  because  of  that,  the  demands  on  the  IT 


process  should  be  integrated  with  the  strat¬ 
egy  of  the  business.  In  our  research,  we 
found  that  only  one-third  of  IT  organiza¬ 
tions  link  their  own  planning  and  budget¬ 
ing  to  the  strategy  of  the  business.  So  you 
have  to  change  the  process. 

Kaplan:  Ideally  we  like  to  have  the  com¬ 
pany  formulate  its  strategy  first  and  then 
the  IT  group  can  determine  how  it  can  add 
value.  It  doesn’t  always  happen  that  way. 
Sometimes  the  IT  group  is  ahead  in  using 
our  approach,  but  then  we  encourage  the 
IT  group  to  go  to  the  business  and  ask  them 


what  their  strategy  is. 

Norton:  This  is  exactly  how  it  happened  at 
GM  of  Europe.  They  started  building  the 
strategy  map  within  the  IT  organization. 
The  IT  organization  became,  in  effect,  like 
consultants  who  went  out  to  the  business 
unit  managers  and  built  these  little  strategy 
maps  that  defined  the  priorities  of  the  busi¬ 
ness  unit. 

Let’s  look  at  intangibles.  You  say  that 
75  percent  of  a  company’s  value  is  in 
intangible  assets  that  cannot  be  meas¬ 
ured  by  financial  systems.  Things  like 
people,  data,  processes,  brand,  customer 
relationships,  innovation  and  culture.  At 


resource  are  completely  different.  It  gets  back 
to  Dave’s  point  about  the  strategy  map.  The 
strategy  map  enables  you  to  work  down 
from  the  kinds  of  value  proposition  that 
you’re  offering  your  customers  to  the  critical 
investments  in  IT  and  human  resources  that 
will  best  support  your  ability  to  position 
yourself  in  the  marketplace. 


How  do  you  keep  the  IT  and  business 
strategies  from  developing  in  isolation 
from  each  other? 

Norton:  You  have  to  redefine  the  manage¬ 
ment  system  so  that  it  ties  to  the  strategy. 
One  part  of  the  management  system  is  the 
budgeting  process.  The  IT  budgeting 


The  message  td  the 
IT  executive  would  be:  If  you 
want  to  sit  at  the  strategy  table, 
it  doesn’t  exist,  so  you 
have  an  opportunity  to  build  it— 
defining  the  strategy, 
participating  in  this  process. 

-DAVID  NORTON 


what  point  will  we  start  putting  values  on 
these  things  so  that  we  can  start  valuing 
companies  properly? 

Kaplan:  Our  thesis  is  the  intangible  assets 
don’t  have  a  value  by  themselves.  It’s  only 
when  they  are  linked  and  aligned  with  the 
company  strategy  that  the  value  is  created. 

But  systems  have  value,  don’t  they? 
Norton:  The  right  question  is.  What’s  the 
value  of  my  process ?  You  can  measure  the 
value  of  your  new  product  development 
process.  You  can  count  the  number  of  new 
products  [that  have  come  out  of  the 
process  in  the  past  few  years  and  their 
value].  Now,  having  done  that,  the  ques¬ 
tion  is,  Do  you  have  the  technology  to 
support  that  new  product  development 
process?  And  so  the  way  that  we  should 
measure  that  is  not  in  terms  of  the  finan¬ 
cial  value  of  the  system,  but  rather  in  the 
state  of  readiness  of  those  technologies  to 
support  the  strategy.  The  question  then  is, 
Do  I  have  the  technology,  do  I  have  people 
trained  to  do  this,  do  I  have  the  incentives 
to  get  full  value  out  of  the  process? 
Because  the  process  itself  is  where  you 
make  the  money,  not  the  IT  system. 

What  if  you  could  get  to  a  standard  set  of 
metrics  for  intangibles  that  would  go  into 
the  balance  sheet  but  would  not  be 
numeric— they  would  be  standardized 
across  companies  and  required  for 
reporting  purposes? 

Norton:  There  are  trends  afoot  where  this 
is  beginning  to  happen  in  pieces.  J.D. 
Power,  for  example,  performs  the  equiva¬ 
lent  of  an  audit  around  quality  in  an  organ¬ 
ization.  And  there  are  HR  surveys,  like 
Fortune's  1 00  best  places  to  work  survey, 
that  apply  a  kind  of  standard  set  of  ques¬ 
tions  to  employee  surveys  and  develop 
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10  or  20  key  measures.  People  use  that  as  a 
point  of  reference.  We  were  number  72  in 
the  top  100  places  to  work.  [International 
Organization  for  Standardization]  certifi¬ 
cation  is  another  example.  Most  of  the  car 
companies  will  tell  you  what  their  product 
development  cycle  is  and  what  the  man¬ 
hours  per  car  are. 

But  this  gets  murky  when  you  talk  about 
IT.  Companies  spend  billions  on  systems 
that  are  used  in  almost  completely  intan¬ 
gible  ways.  I  think  so  far  that  has  served 
to  the  detriment  of  IT  because  the  costs 
are  tangible  but  the  value  is  intangible. 
Norton:  But  again  I  think  the  problem  is 
that  the  focus  goes  back  to  IT  rather  than 
the  process.  We  can  be  happy  if  the  organ¬ 
ization  is  in  the  top  100  places  to  work, 
but  how  did  they  do  that?  Maybe  they 
were  all  able  to  work  at  home  because 
they  had  great  Internet  access  and  serv¬ 
ices.  How  did  you  get  your  product  devel¬ 
opment  cycle  down  from  six  years  to 
four?  You  used  CAD/CAM  and  an  engi¬ 
neering  database.  The  nonfinancial  results 
speak  for  themselves,  but  then  the  ques¬ 
tion  is,  Where  does  IT  fit  into  this?  That’s 
where  I  think  you  make  a  mistake  trying 
to  focus  and  quantify  the  value  of  IT 
because,  as  I  said  earlier,  you  can’t  isolate 
IT  from  training,  from  other  nontechnol¬ 
ogy  programs  put  in  place,  incentive  pro¬ 
grams  and  so  forth. 

Is  there  anything  you  would  add  for  CIOs 
struggling  to  make  sense  of  strategy  in 
their  organizations? 

Norton:  The  message  to  the  IT  executive 
would  be:  If  you  want  to  sit  at  the  strategy 
table,  it  doesn’t  exist,  so  you  have  an 
opportunity  to  build  it — defining  the  strat¬ 
egy,  participating  in  this  process.  Then 
everybody  has  a  way  to  align  their  activi¬ 
ties  to  the  strategy.  Everyone  is  then  strate¬ 
gic.  When  I  have  seen  this  done  in  practice, 
I  have  seen  CIOs  get  up  and  talk  about 
their  strategy,  and  you  can’t  tell  that  they 
are  a  CIO.  They’re  talking  about  business 
issues,  and  technology  is  part  of  it.  H0 
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Software  Security 


The  more  you  patch,  the  more  you  need  to  patch,  and  the  more 
monstrously  kludgy  and  terrifyingly  unpredictable  your  systems 
and  applications  become .  Is  there  any  way  to  escape  this  horror ? 

BY  SCOTT  BERINATO 


Early  one  Saturday  morning  last  January, 

from  a  computer  located  somewhere  within  the  seven  continents, 
or  possibly  on  the  four  oceans,  someone  sent  376  bytes  of  code 
inside  a  single  data  packet  to  a  SQL  Server.  That  packet — which 
would  come  to  be  known  as  the  Slammer  worm — infected  the 
server  by  sneaking  in  through  UDP  port  1434.  From  there  it 

generated  a  set  of  random  IP  addresses  and 
scanned  them.When  it  found  a  vulnerable  host, 
Slammer  infected  it,  and  from  its  new  host 
invented  more  random  addresses  that  hungrily 
scanned  for  more  vulnerable  hosts. 
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Reader  ROI 

►  Who  really  writes  software 
patches 

►  Why  vulnerability  disclo¬ 
sure  invites  trouble 

►  The  pros  and  cons  of 
automating  patching 


ILLUSTRATION  BY  CHRIS  SICKELS 


Software  Security 


Slammer  was  a  nasty  bugger.  In  the  first 
minute  of  its  life,  it  doubled  the  number  of 
machines  it  infected  every  8.5  seconds.  (Just 
to  put  that  in  perspective,  in  July  2001  the 
famous  Code  Red  virus  doubled  its  infec¬ 
tions  every  37  minutes.  Slammer  peaked  in 
just  three  minutes,  at  which  point  it  was 
scanning  55  million  targets  per  second.) 

Then,  Slammer  started  to  decelerate,  a 
victim  of  its  own  startling  efficiency  as  it 
bumped  into  its  own  scanning  traffic.  Still, 
by  the  10-minute  mark,  90  percent  of  all 
vulnerable  machines  on  the  planet  were 
infected.  But  when  Slammer  subsided,  talk 
focused  on  how  much  worse  it  would  have 
been  had  Slammer  hit  on  a  weekday  or, 
worse,  carried  a  destructive  payload. 

Slammer’s  maniacal  binge  occurred  a  full 
six  months  after  Microsoft  had  released  a 
patch  to  prevent  it.  Those  looking  to  cast 
blame — and  there  were  many — cried  a 
familiar  refrain:  If  everyone  had  just  patched 
his  system  in  the  first  place,  Slammer 
wouldn’t  have  happened. 

But  that’s  not  true.  And  therein  lies  our 
story. 

Slammer  was  unstoppable.  Which  points 
to  a  bigger  issue:  Patching  no  longer  works. 

Partly,  it’s  a  volume  problem.  There  are 
simply  too  many  vulnerabilities  requiring 
too  many  combinations  of  patches  coming 
too  fast.  Picture  Lucy  and  Ethel  in  the 
chocolate  factory — just  take  out  the  humor. 

But  perhaps  more  important  and  less  well 
understood,  it’s  a  process  problem.  The  cur¬ 
rent  manufacturing  process  for  patches — 
from  disclosure  of  a  vulnerability  to  the 
creation  and  distribution  of  the  updated 
code — makes  patching  untenable.  At  the 
same  time,  the  only  way  to  fix  insecure  post¬ 
release  software  (in  other  words,  all  soft¬ 
ware)  is  with  patches. 

This  Hobson’s  choice  has  taken  patching 
and  the  newly  minted  discipline  associated 
with  it,  patch  management,  into  the  realm  of 
the  absurd. 

Hardly  surprising,  then,  that  philosophies 
on  what  to  do  next  have  bifurcated.  Depend¬ 
ing  on  whom  you  ask,  it’s  either  time  to  patch 
less — replacing  the  process  with  vigorous  best 


Intel  last  year  applied 

2.4  million  patches 

to  its  own  network. 


One  analyst  scanned  550 
machines  with  patch 
management  software, 
which  told  him  to  apply 

10,000  patches. 

Researching  each  of  the 
4,200  vulnerabilities 
published  by  CERT  last  year 
for  10  minutes  would 
have  required  one  staffer 
to  research  for 

17.5  full  workweeks, 

or  700  hours. 

A  company  with  100,000  IP 
addresses  is  subject  to 

2.3  million 
vulnerability  probes 

per  day. 

SOURCES:  Intel  white  paper.  CIO  reporting. 
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practices  and  a  little  bit  of  risk  analysis — or 
it’s  time  to  patch  more — by  automating  the 
process  with,  yes,  more  software. 

“We’re  between  a  rock  and  a  hard 
place,”  says  Bob  Wynn,  former  CISO  of  the 
state  of  Georgia.  “No  one  can  manage  this 
effectively.  I  can’t  just  automatically  deploy  a 
patch.  And  because  the  time  it  takes  for  a 
virus  to  spread  is  so  compressed  now,  I  don’t 
have  time  to  test  them  before  I  patch  either.” 

How  to  Build 
a  Monster 

PATCHING  IS,  BY  MOST  ACCOUNTS,  AS 

old  as  software  itself.  Unique  among  engi¬ 
neered  artifacts,  software  is  not  beholden  to 
the  laws  of  physics;  it  can  endure  funda¬ 


mental  change  relatively  easily  even  after  it’s 
been  “built.”  Automobile  engines,  by  con¬ 
trast,  don’t  take  to  piston  redesigns  once 
they  roll  off  the  assembly  line  nearly  so  well. 

This  unique  characteristic  of  software  has 
contributed  to  a  software  engineering  culture 
that  generally  regards  quality  and  security  as 
obstacles.  An  adage  among  programmers 
suggests  that  when  it  comes  to  software,  you 
can  pick  only  two  of  three:  speed  to  market, 
number  of  features,  level  of  quality.  Pro¬ 
grammer’s  egos  are  wrapped  up  in  the  first 
two;  rarely  do  they  pick  the  third  (since,  of 
course,  software  is  so  easily  repaired  later,  by 
someone  else). 

Such  an  approach  has  never  been  more 
dangerous.  Software  today  is  massive  (Win¬ 
dows  XP  contains  45  million  lines  of  code) 
and  the  rate  of  sloppy  coding  (10  to  20 
errors  per  1,000  lines  of  code)  has  led  to 
thousands  of  vulnerabilities.  CERT  pub¬ 
lished  4,200  new  vulnerabilities  last  year — 
that’s  3,000  more  than  it  published  three 
years  ago.  Meanwhile,  software  continues 
to  find  itself  running  evermore  critical  busi¬ 
ness  functions,  where  its  failure  carries  pro¬ 
found  implications.  In  other  words,  right 
when  quality  should  be  getting  better,  it’s 
getting  exponentially  worse. 

Patch  and  Pray 

STITCHING  PATCHES  INTO  THESE  COM- 

plex  systems,  which  sit  within  labyrinthine 
networks  of  similarly  complex  systems, 
makes  it  impossible  to  know  if  a  patch  will 
solve  the  problem  it’s  meant  to  without  cre¬ 
ating  unintended  consequences.  One  patch, 
for  example,  worked  fine  for  everyone — 
except  those  unlucky  users  who  happened 
to  have  a  certain  Compaq  system  connected 
to  a  certain  RAID  array  without  certain 
updated  drivers.  In  which  case  the  patch 
knocked  out  the  storage  array. 

Tim  Rice,  network  systems  analyst  at 
Duke  University,  was  one  of  the  unlucky 
ones.  “If  you  just  jump  in  and  apply  patches, 
you  get  nailed,”  he  says.  “You  can  set  up 
six  different  systems  the  same  way,  apply 
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Software  Security 


the  same  patch  to  each,  and  get  one  system 
behaving  differently.” 

Raleigh  Burns,  former  security  adminis¬ 
trator  at  St.  Elizabeth’s  Medical  Center, 
agrees.  “Executives  think  this  stuff  has  a 
Mickey  Mouse  GUI,  but  even  chintzy  patches 
are  complicated.” 

The  conventional  wisdom  is  that  when 
you  implement  a  patch,  you  improve  things. 
But  Wynn  isn’t  convinced.  “We’ve  all  applied 
patches  that  put  us  out  of  service.  Plenty  of 
patches  actually  create  more  problems — they 
just  shift  you  from  one  vulnerability  cycle  to 
another,”  Wynn  says.  “It’s  still  consumer 
beware.” 

Yet  for  many  who  haven’t  dealt  directly 
with  patches,  there’s  a  sense  that  patches  are 
simply  click-and-fix.  In  reality,  they’re  often 
patch-and-pray.  At  the  very  least,  they 
require  testing.  Some  financial  institutions, 
says  Shawn  Hernan,  team  leader  for  vul¬ 
nerability  handling  in  the  CERT  Coordina¬ 
tion  Center  at  the  Software  Engineering 
Institute  (SEI),  mandate  six  weeks  of  regres¬ 
sion  testing  before  a  patch  goes  live.  Third- 
party  vendors  often  take  months  after  a 
patch  is  released  to  certify  that  it  won’t 
break  their  applications. 


work  was  knocked  out  when  Slammer  hit, 
causing  doctors  to  revert  to  paper-based  care. 
“We  believe  it’s  safer  to  wait  until  the  vendor 
certifies  the  hot  fixes  in  a  service  pack.” 

On  the  other  hand,  if  Clark  had  deployed 
every  patch  he  was  supposed  to,  nothing 
would  have  been  different.  He  would  have 
been  knocked  out  just  the  same. 

Attention  Hackers: 
Weakness  Here 

SLAMMER  NEATLY  DEMONSTRATES 

everything  that’s  wrong  with  manufacturing 
software  patches.  It  begins  with  disclosure 
of  the  vulnerability,  which  happened  in  the 
case  of  Slammer  in  July  2002,  when 
Microsoft  issued  patch  MS02-039.  The 
patch  steeled  a  file  called  ssnetlib.dll  against 
buffer  overflows. 

“Disclosure  basically  gives  hackers  an 
attack  map,”  says  Gary  McGraw,  CTO  of 
Cigital  and  the  author  of  Building  Secure 
Software.  “Suddenly  they  know  exactly 
where  to  go.  If  it’s  true  that  people  don’t 
patch — and  they  don’t — disclosure  helps 
mostly  the  hackers.” 


Server  vulnerabilities.  MS02-056  updated 
ssnetlib.dll  to  a  newer  version;  otherwise,  all 
of  the  patches  played  together  nicely. 

Then,  on  October  30,  Microsoft  released 
Q317748,  a  nonsecurity  hot  fix  for  SQL 
Server. 

Danger:  Patch 
Under  Construction 

Q317748  REPAIRED  A  PERFORMANCE- 

degrading  memory  leak.  But  the  team  that 
built  it  had  used  an  old,  vulnerable  version 
of  ssnetlib.dll.  When  Q3 17748  was  in¬ 
stalled,  it  could  overwrite  the  secure  version 
of  the  file  and  thus  make  that  server  as  vul¬ 
nerable  to  a  worm  like  Slammer  as  one  that 
had  never  been  patched. 

“As  bad  as  software  can  be,  at  least  when 
a  company  develops  a  product,  it  looks  at  it 
holistically,”  says  SEI’s  Hernan.  “It’s  given 
the  attention  of  senior  developers  and  archi¬ 
tects,  and  if  quality  metrics  exist,  that’s  when 
they’re  used.” 

Which  is  not  the  case  with  patches. 

Patch  writing  is  usually  assigned  to 
entry-level  maintenance  programmers,  says 


There  have  been  plenty  of  patches  that  actually 
create  more  problems— they  just  shift  you 
from  one  vulnerability  cycle  to  another. 

-Bob  Wynn,  former  CISO  of  the  state  of  Georgia 


All  of  which  makes  the  post-outbreak 
admonishing  to  “Patch  more  vigilantly”  far¬ 
cical  and,  probably  to  some,  offensive.  It’s 
the  complexity  and  fragility — not  some 
inherent  laziness  or  sloppy  management — 
that  explains  why  Slammer  could  wreak 
such  havoc  185  days  after  Microsoft 
released  a  patch  for  it. 

“We  get  hot  fixes  everyday,  and  we’re 
loath  to  put  them  in,”  says  Frank  Clark,  for¬ 
mer  senior  vice  president  and  CIO  of 
Covenant  Health,  whose  six-hospital  net- 


Essentially,  disclosure’s  a  starter’s  gun. 
Once  it  goes  off,  it’s  a  footrace  between  hack¬ 
ers  (who  now  know  what  file  to  exploit)  and 
everyone  else  (who  must  all  patch  their  sys¬ 
tems  successfully).  And  the  good  guys  never 
win.  Someone  probably  started  working  on 
a  worm  to  attack  ssnetlib.dll  as  soon  as 
Microsoft  released  MS02-039. 

In  the  case  of  Slammer,  Microsoft  built 
three  more  patches  in  2002 — MS02-043  in 
August,  MS02-056  in  early  October  and 
MS02-061  in  mid-October — for  related  SQL 


Hernan.  They  fix  problems  where  they’re 
found.  They  have  no  authority  to  look  for 
recurrences  or  to  audit  code.  And  the 
patch  coders  face  severe  time  constraints — 
remember  there’s  a  footrace  on.  They  don’t 
have  time  to  communicate  with  other 
groups  writing  other  patches  that  might 
conflict  with  theirs.  (Not  that  they’re  set 
up  to  communicate.  Russ  Cooper,  who 
manages  NTBugtraq,  the  Windows  vul¬ 
nerability  mailing  list,  says  companies 
often  divide  maintenance  by  product  group 
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Disclosure  basically  gives  hackers  an  attack  map. 

Suddenly  they  know  exactly  where  to  go. 

If  it’s  true  that  people  don’t  patch— and  they  don’t— 
disclosure  helps  mostly  the  hackers. 

-Gary  McGraw,  CTO,  Cigital 


and  let  them  develop  their  own  tools  and 
strategies  for  patching.)  There’s  little,  if 
any,  testing  of  patches  by  the  vendors  that 
create  them. 

Ironically,  maintenance  programmers 
write  patches  using  the  same  software 
development  methodologies  employed  to 
create  the  insecure,  buggy  code  that  they 
are  supposed  to  be  fixing.  It’s  no  surprise 
then  that  these  Dr.  FrankenPatches  pro¬ 
duce  poorly  written  products  that  can 
break  as  much  as  they  fix.  For  example, 
an  esoteric  flaw  found  last  summer  in  an 
encryption  program — one  so  arcane  it 
might  never  have  been  exploited — was 
patched.  The  patch  itself  had  a  gaping 
buffer  overflow  written  into  it,  and  that 
was  quickly  exploited,  says  Hernan.  In 
another  case  last  April,  Microsoft  released 
patch  MS03-013  to  fix  a  serious  vulnera¬ 
bility  in  Windows  XP.  On  some  systems,  it 
also  degraded  performance  by  roughly 
90  percent.  The  performance  degradation 
required  another  patch,  which  wasn’t 
released  for  a  month. 

Slammer  feasted  on  such  methodological 
deficiencies.  It  infected  both  servers  made 
vulnerable  by  conflicting  patches  and 
servers  that  were  never  patched  at  all 
because  the  SQL  patching  scheme  was 
kludgy.  These  particular  patches  required 
scripting,  file  moves,  and  registry  and  per¬ 
mission  changes  to  install.  (After  the  Slam¬ 
mer  outbreak,  even  Microsoft  engineers 
struggled  with  the  patches.)  Many  avoided 
the  patch  because  they  feared  breaking  SQL 
Server,  one  of  their  critical  platforms.  It  was 
as  if  their  car  had  been  recalled  and  the 
automaker  mailed  them  a  transmission  with 
installation  instructions. 


Vulnerabilities 
Come  to  the  Fore 

THE  INITIAL  REACTION  TO  SLAMMER 

was  confusion  on  a  Keystone  Kops  scale.  “It 
was  difficult  to  know  just  what  patch 
applied  to  what  and  where,”  says  NTBug- 
traq’s  Cooper,  who’s  also  the  “surgeon  gen¬ 
eral”  at  vendor  TruSecure. 

Slammer  hit  at  a  particularly  dynamic 
moment:  Microsoft  had  released  Service 
Pack  3  for  SQL  Server  days  earlier.  It  wasn’t 
immediately  clear  if  SP3  would  need  to  be 
patched  (it  wouldn’t),  and  Microsoft  early 
on  told  customers  to  upgrade  their  SQL 
Server  to  SP3  to  escape  the  mess. 

Meanwhile,  those  trying  to  use  MS02- 
061  were  struggling  mightily  with  its  kludgi- 
ness,  and  those  who  had  patched — but  got 
infected  and  watched  their  bandwidth 
sucked  down  to  nothing — were  baffled.  At 
the  same  time,  a  derivative  SQL  application 
called  MSDE  (Microsoft  Desktop  Engine) 
was  causing  significant  consternation. 
MSDE  runs  in  client  apps  and  connects 
them  back  to  the  SQL  Server.  Experts 
assumed  MSDE  would  be  vulnerable  to 
Slammer  since  all  of  the  patches  had  applied 
to  both  SQL  and  MSDE  users. 

That  turned  out  to  be  true,  and  Cooper 
remembers  a  sense  of  dread  as  he  realized 
MSDE  could  be  found  in  about  130  third- 
party  applications.  It  runs  in  the  back¬ 
ground;  many  corporate  administrators 
wouldn’t  even  know  it’s  there.  Cooper  esti¬ 
mated  it  could  be  found  in  half  of  all  cor¬ 
porate  desktop  clients.  In  fact,  at  Beth  Israel 
Deaconess  Hospital  in  Boston,  MSDE  had 


caused  an  infestation  although  the  network 
SQL  Servers  had  been  patched. 

When  customers  arrived  at  work  on 
Monday  and  booted  up  their  clients,  which 
in  turn  loaded  MSDE,  Cooper  worried  that 
Slammer  would  start  a  reinfestation,  or 
maybe  it  would  spawn  a  variant.  No  one 
knew  what  would  happen.  And  while 
patching  thousands  of  SQL  Servers  is  one 
thing,  finding  and  patching  millions  of 
clients  with  MSDE  running  is  another 
entirely.  Still,  Microsoft  insisted,  if  you 
installed  SQL  Server  SP3,  your  MSDE  appli¬ 
cations  would  be  protected. 

It  seemed  like  reasonable  advice. 

Then  again,  companies  take  more  than  a 
week  to  stick  a  service  pack  into  a  network. 
After  all,  single  patches  require  regression 
testing,  and  service  packs  are  hundreds  of 
security  patches,  quality  fixes  and  feature 
upgrades  rolled  together.  In  a  crisis,  upgrad¬ 
ing  a  service  pack  that  was  days  old  wasn’t 
reasonable.  Cooper  soon  learned  that  Best 
Software’s  MAS  500  accounting  software 
wouldn’t  run  with  Service  Pack  3.  MAS  500 
users  who  installed  SP3  to  defend  against 
Slammer  had  their  applications  fall  over. 
They  would  have  to  start  over  and  reformat 
their  machines.  All  the  while  everyone  was 
trying  to  beat  Slammer  to  the  workweek  to 
avoid  a  severe  uptick  in  Slammer  infections 
when  millions  of  machines  worldwide  were 
turned  on  or  otherwise  exposed  to  the  worm 
that,  over  the  weekend,  remained  blissfully 
dormant. 

“By  late  Sunday  afternoon,  Microsoft 
had  two  rooms  set  up  on  campus,”  says 
Cooper.  “Services  guys  are  in  one  room  fig¬ 
uring  out  what  to  say  to  customers.  A  secu¬ 
rity  response  team  is  in  the  other  room 
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We  see  management 
a  little  differently 
from  the  other  guys. 
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We're  the  management  people.  And  nobody  does 
management  smarter.  Nobody. 


►► 


v_y 


CIO  eBook!  Get  your  free  copy  of  From  Chaos  to  Control: 
The  CIO's  Executive  Guide  to  Managing  and  Securing 
the  Enterprise,  www.netiq.com/manageability, 


0. 

netSD. 

Work  Smarter, 


©Copyright  2003  NetlQ  Corporation.  All  rights  reserved. NetlQ  and  the  NetlQ  logo  are  registered  trademarks  of  the  NetlQ  Corporation. 
All  other  names  and  products  mentioned  herein  may  be  the  registered  trademarks  of  their  respective  companies. 


Software  Security 


trying  to  figure  out  how  to  repackage  the 
patches  and  do  technical  damage  control. 

“I’m  on  a  cell  phone,  and  there’s  a  guy 
there  running  me  between  the  two  rooms.” 
Cooper  laughs  at  the  thought  of  it. 

Why  Every  Patch 
Starts  from  Zero 

AS  THE  VOLUME  AND  COMPLEXITY  OF 

software  increases,  so  do  the  volume  and 
complexity  of  patches.  The  problem  with 
this,  says  SEI’s  Hernan,  is  that  there’s  noth¬ 
ing  standard  about  the  patch  infrastructure 
or  managing  the  onslaught  of  patches. 

There  are  no  standard  naming  conventions 
for  patches;  vulnerability  disclosure  comes 
from  whatever  competitive  vendor  can  get 
the  news  out  first.  Distribution  might  be  auto¬ 
mated  or  manual;  and  installation  could  be  a 
double-click  .exe  file  or  a  manual  process. 

Microsoft  alone  uses  a  hierarchy  of  eight 
different  patching  mechanisms  (the  company 
says  it  wants  to  reduce  that  number).  But 
that  only  adds  to  more  customer  confusion. 

“How  do  I  know  when  I  need  to  reapply 
a  security  rollup  patch?  Do  I  then  need  to 
reapply  Win2K  Service  Pack  2?  Do  I  need  to 
reinstall  hot  fixes  after  more  recent  SPs?” 
Similar  questions  were  posed  to  a  third- 
party  services  company  in  a  security  newslet¬ 
ter.  The  answer  was  a  page-and-a-half  long. 

There’s  also  little  record-keeping  or  archiv¬ 


ing  around  patches,  leaving  vendors  to  make 
the  same  mistakes  over  and  over  without 
building  up  knowledge  about  when  and 
where  vulnerabilities  arise  and  how  to  avoid 
them.  For  example,  Apple’s  Safari  Web 
browser  contained  a  significant  security  flaw 
in  the  way  it  validated  certificates  using  SSL 
encryption,  which  required  a  patch.  Every 
browser  ever  built  before  Safari,  Hernan 
says,  had  contained  the  same  flaw. 

“I’d  like  to  think  there’s  a  way  to  improve 
the  process  here,”  says  Mykolas  Rambus, 
CIO  of  financial  services  company  W.P. 
Carey.  “It  would  take  an  industry  body — a 
nonprofit  consortium-type  setup — to  create 
standard  naming  conventions,  to  produc¬ 
tion  test  an  insane  number  of  these  things, 
and  to  keep  a  database  of  knowledge  on  the 
patches  so  I  could  look  up  what  other  com¬ 
panies  like  mine  did  with  their  patching  and 
what  happened.” 

Rambus  doesn’t  sound  hopeful. 

Slammer 
Dopeslaps  the 
Software  Industry 

SLAMMER  HAS  BECOME  SOMETHING  OF 

a  turning  point.  The  fury  of  its  10-minute 
conflagration  and  the  ensuing  comedy  of  a 
gaggle  of  firefighters  untangling  their  hoses, 
rushing  to  the  scene  and  finding  that  the 
building  has  already  burnt  down,  left 
enough  of  an  impression  to  convince  many 
that  patching,  as  it  is  currently  practiced, 
doesn’t  work. 

“Something  has  to  happen,”  says  Ram¬ 
bus.  “There’s  going  to  be  a  backlash  if  it 
doesn’t  improve.  I’d  suggest  that  this  patch¬ 
ing  problem  is  the  responsibility  of  the  ven¬ 
dors,  and  the  costs  are  being  taken  on  by 
the  customers.” 

There’s  good  news  and  bad  news  for  Ram¬ 
bus.  The  good  news  is  that  vendors  are  moti¬ 
vated  to  try  and  fix  the  patch  process.  And 
they’re  earnest — one  might  say  even  reli¬ 
gious — about  their  competing  approaches. 
And  the  fervent  search  for  a  cure  has  intensi¬ 


fied  markedly  since  Slammer. 

The  bad  news  is  that  none  of  what’s  hap¬ 
pening  changes  the  economics  of  patching. 
Customers  still  pay. 

Patch  More  or 
Patch  Less: 

A  Hobson’s  Choice 

THERE  ARE  TWO  EMERGING  AND  OPPO- 

site  patching  philosophies:  Patch  more,  or 
patch  less. 

Vendors  in  the  Patch  More  school  have, 
almost  overnight,  created  an  entirely  new 
class  of  software  called  patch  management 
software.  The  term  means  different  things 
to  different  people  (already  one  vendor  has 
concocted  a  spinoff,  “virtual  patch  manage¬ 
ment”),  but  in  general,  PM  automates  the 
process  of  finding,  downloading  and  apply¬ 
ing  patches.  Patch  More  adherents  believe 
patching  isn’t  the  problem,  but  manual 
patching  is.  Perfunctory  checks  for  updates 
and  automated  deployment,  checks  for  con¬ 
flicts,  roll  back  capabilities  (in  case  there  is  a 
conflict)  will,  under  the  Patch  More  school 
of  thought,  fix  patching.  PM  software  can 
keep  machines  as  up-to-date  as  possible 
without  the  possibility  of  human  error. 

The  CISO  at  a  major  convenience  store 
chain  says  it’s  already  working.  “Patching 
was  spiraling  out  of  control  until  recently,” 
he  says.  “Before,  we  knew  we  had  a  prob¬ 
lem  because  of  the  sheer  volume  of  patches. 
We  knew  we  were  exposed  in  a  handful  of 
places.  The  update  services  coming  now 
from  Microsoft,  though,  have  made  the  sit¬ 
uation  an  order  of  magnitude  better.” 

Duke  University’s  Rice  tested  patch  man¬ 
agement  software  on  550  machines.  When 
the  application  told  him  he  needed  10,000 
patches,  he  wasn’t  sure  if  that  was  a  good 
thing.  “Obviously,  it’s  powerful,  but  auto¬ 
mation  leaves  you  open  to  automatically 
putting  in  buggy  patches.”  Rice  might  be 
thinking  of  the  patch  that  crashed  his  stor¬ 
age  array  on  a  Compaq  server.  “I  need 
automation  to  deploy  patches,”  he  says.  “I 
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Software  Security 


do  not  want  automatic  patch  distribution.” 

The  Patch  Less  constituency  is  best  rep¬ 
resented  by  Peter  Tippett,  vice  chairman  and 
CTO  of  TruSecure.  Based  on  12  years  of 
actuarial  data,  he  says  that  only  about  2  per¬ 
cent  of  vulnerabilities  result  in  attacks. 
Therefore,  most  patches  aren’t  worth  apply¬ 
ing.  In  risk  management  terms,  they’re  at 
best  superfluous  and,  at  worst,  a  significant 
additional  risk. 

Instead,  Tippett  says,  improve  your  secu¬ 
rity  policy — lock  down  ports  such  as  1434 
that  really  had  no  reason  to  be  open — and 
pay  third  parties  to  figure  out  which  patches 
are  necessary  and  which  ones  you  can 
ignore.  “More  than  half  of  Microsoft’s  72 


patching  is  equally  or  even  more  effective. 

There’s  also  an  emerging  hybrid 
approach — which  combines  the  patch  man¬ 
agement  software  with  expertise  and  policy 
management.  It  also  combines  the  costs  of 
paying  smart  people  to  know  your  risks 
while  also  investing  in  new  software. 

Hernan  says,  “I  can  understand  the  frus¬ 
tration  that  can  lead  to  the  attitude  of,  ‘For¬ 
get  it,  I  can’t  patch  everything,’  but  that 
person’s  taking  a  big  chance.  On  the  other 
hand,  he’s  also  taking  a  big  chance  apply¬ 
ing  a  patch.” 

“I  don’t  have  much  faith  in  automated 
patching  schemes,”  says  Rambus.  “But  I 
could  be  convinced.” 


Share  Your  Opinion 


Damned  if  you  do,  damned  if  you  don’t.  That 
seems  to  be  the  accepted  wisdom  on  patch¬ 
ing.  What's  a  CIO  to  do?  What  do  you  do? 

Share  your  tried-and-true  tactics— or  read 
what  your  peers  have  done  successfully— in 
the  ADD  A  COMMENT  section  at  the  end  of 
the  online  version  of  this  feature. 

cio.com 

hand  out  money.  In  Canada,  a  national  elec¬ 
tion  was  delayed. 

The  patches  had,  at  best,  a  miniscule 
effect.  What  ended  up  preventing  Slammer 
from  worming  its  way  into  the  workweek 
and  causing  even  more  damage,  it  turns  out, 
was  a  rare  and  unusual  gesture  by  ISPs.  That 


An  industry  body  could  create  standard  naming 
conventions  and  keep  a  database  of  knowledge  on  the 
patches  so  I  could  look  up  what  other  companies  like 
mine  did  with  their  patching  and  what  happened. 

-Mykolas  Rambus,  CIO,  W.R  Carey 


major  vulnerabilities  last  year  will  never 
affect  anyone  ever,”  says  Tippett.  “With 
patching,  we’re  picking  the  worst  possible 
risk-reduction  model  there  is.” 

Tippett  is  at  once  professorial  and  con¬ 
stantly  selling  his  own  company’s  ability  to 
provide  the  services  that  make  patching  less 
viable.  But  many  thoughtful  security  lead¬ 
ers  think  Tippett’s  approach  is  as  flawed  and 
dangerous  as  automated  patch  management. 

“He’s  using  old-school  risk  analysis,”  says 
Burns.  “How  can  you  come  up  with  an 
accurate  probability  matrix  on  blended 
threat  viruses  using  12  years  of  data  when 
they’ve  only  been  around  for  two  years?” 

An  additional  problem  with  the  Patch 
Less  school  is  the  feeling  of  insecurity  it 
engenders.  Not  patching  is  sort  of  like  for¬ 
getting  to  put  on  your  watch  and  feeling 
naked  all  day.  Several  information  execu¬ 
tives  described  an  illogical  pull  to  patch, 
even  if  the  risk  equation  determined  that  less 


Wynn  is  ambivalent  too.  “If  you  think 
patch  management  is  a  cure,  you’re  mis¬ 
taken.  Think  of  it  as  an  incremental  improve¬ 
ment.  I  have  to  take  a  theory  of  the  middle 
range,”  he  says  vaguely. 

It’s  Alive! 

The  Persistence 
of  Slammer 

ON  MONDAY  AFTER  SLAMMER  HIT, 

Microsoft  rereleased  MS02-061  to  cover  up 
the  memory  leak  and  update  ssnetlib.dll, 
and  it  was  much  easier  to  install.  Of  course, 
by  then,  Slammer  was  already  pandemic. 
Microsoft  itself  was  infected  badly,  prompt¬ 
ing  a  moment  of  schadenfreude  for  many. 
ISP  networks  had  collapsed;  several  root 
DNS  servers  were  overwhelmed;  airlines  had 
canceled  flights;  ATM  machines  refused  to 


same  Monday,  they  agreed  to  block  Inter¬ 
net  traffic  on  UDP  port  1434,  the  one  Slam¬ 
mer  used  to  propagate  itself.  “That’s  what 
allowed  us  to  survive,”  says  Cooper. 

And  surely,  with  ISPs  blocking  the  door, 
companies  would  seize  the  opportunity  to 
update,  test  and  deploy  the  new  patches.  Or 
they  could  upgrade  to  Service  Pack  3.  They 
could  locate  and  patch  all  their  MSDE 
clients  and,  finally,  kill  Slammer  dead. 

But  10  days  later,  when  ISPs  opened  port 
1434  again,  there  was  a  spike  in  Slammer 
infections  of  SQL  Servers.  Six  months  later, 
in  mid-July,  the  Wormwatch.org  listener 
service  showed  Slammer  remained  the  most 
prevalent  worm  in  the  wild,  twice  as  com¬ 
mon  as  any  other  worm.  It  was  still  trolling 
for,  and  finding,  unpatched  systems  to 
infect.  HPi 


Senior  Editor  Scott  Berinato  can  be  reached  via 
e-mail  at  sberinato@cio.com. 


110  CIO  NOVEMBER  1,  2003  •  www.cio.com 


Ellislsland.org  Welcomes 

70  Million  Visitors  a  Month 

With  Oracle,  HP  and  Red  Hat 


TM  1982, 1987  THE  STATUE  OF  LIBERTY-ELLIS  ISLAND  FOUNDATION,  INC. 


invent 


redhat. 


More  than  70  million  monthly  visitors  look  for  their  past 

with  the  IT  infrastructure  of  the  future: 
HP  Adaptive  Enterprise  Solutions, 
Red  Hat  Enterprise  Linux, 
and  Oracle  Database. 


oracle.com/hp 
or  call  1.800.633.0753 


Copyright  ©  2003,  Oracle  Corporation.  All  rights  reserved.  Oracle  is  a  registered  trademark  of  Oracle  Corporation  and/or  its  affiliates.  Other  names  may  be  trademarks  of  their  respective  owners. 


Sound  Off 

Taking  Sides  on  Critical  IT  Issues 


Is  Microsoft 
Less  Expensive 
Than  Linux? 

UNTIL  RECENTLY,  if  you  wanted  to  find  someone  who  thought  that  a 
Windows-based  program  was  cheaper  than  one  based  on 
Linux,  you  had  to  go  all  the  way  to  Redmond.  No  more.  Not 
since  Microsoft  paid  Forrester  Research’s  Giga  Research  to 
conduct  a  comparative  study  of  the  costs  of  developing  a  Web- 
based  portal.  The  study  compared  the  costs  incurred  by  five 
large  and  midsize  companies  that  used  the  Java  2  Enterprise 
Edition  with  costs  incurred  by  seven  large  and  midsize  compa¬ 
nies  that  used  .Net  applications.  For  large  corporations  in  the 
study,  the  cost  of  using  Microsoft  products  for  development 
and  deployment  plus  three  years  of  maintenance  was  28  percent 
less  than  the  cost  for  J2EE/Linux.  And  for  midsize  companies, 
the  Microsoft  route  was  25  percent  cheaper. 

Of  course,  it’s  not  shocking  that  a  study  commissioned  by 
Microsoft  should  demonstrate  the  advantages  of  that  com¬ 
pany’s  products  over  Linux,  but  the  fact  that  the  study  was 
commissioned  at  all  reveals  Microsoft’s  concern.  And  for  good 
reason.  IDC  (a  sister  company  to  C/O’ s  publisher)  recently 
reported  that  sales  of  Linux  servers  are  growing  faster  than 
those  of  Windows  servers,  and  Gartner  tells  us  that  the  sales  of 


servers  running  Linux  are  up  nearly  60  percent  from  a  year 
earlier.  In  short,  it’s  a  very  good  time  for  Bill  Gates  to  pull  out 
his  checkbook  and  order  up  some  market  research. 

Forrester  analysts  John  Rymer  and  Bob  Cormier  explain  that 
the  study  intended,  among  other  things,  to  inject  some  rational 
thought  into  the  emotional  debate  between  Linux-leaning  ideo¬ 
logues  and  the  rest  of  the  world.  In  fact,  the  most  interesting 
aspect  of  the  report  is  that  it  demonstrates  the  ideological  battle 
over  Linux  is  moot.  Like  those  “rebellious”  presidential  candi¬ 
dates  who  admit  that  they  inhaled,  Linux  is  now  a  major  part 
of  the  establishment.  Take  a  look:  The  Giga  Research  study 
found  that  the  biggest  cost  advantages  of  Microsoft  products 
came  in  comparison  to  the  cost  of  Linux-based  products  sold  by 
monster  software  makers  Oracle  and  BEA.  According  to  the 
study,  large  corporations  paid  $80,000  for  Oracle’s  database, 
compared  with  less  than  $40,000  for  Microsoft  SQL;  and  they 
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Sound  Off 


paid  $60,000  to  BEA  for  development  tools,  compared  with 
$12,500  to  Microsoft  Visual  Studio  .Net.  Midsize  companies, 
the  study  found,  enjoyed  savings  of  similar  proportions. 

What  would  the  cost  savings  look  like  if  the  companies  that 
paid  big  bucks  to  Oracle  and  BEA  had  used  free  Linux-based 
databases  and  scripting  tools  such  as  PHP  and  MySQL?  Giga 
doesn’t  know  because,  as  Cormier  explains,  it  didn’t  look  at 
any  such  companies.  He  says  that  Giga — not  Microsoft — decided 
which  companies  to  look  at. 


In  the  spirit  of  fairness,  the  study  does  point  out  that  it  exam¬ 
ined  only  the  cost  of  Web  portal  applications  using  Linux  and 
Windows,  and  that  similar  cost-benefit  analyses  of  more  sophis¬ 
ticated  applications  may  favor  Linux. 

What  do  you  think?  Is  Microsoft  less  expensive  than  Linux? 

Sound  Off  is  a  weekly  column  about  current  IT-related 
issues.  Web  Editorial  Director  Art  Jahnke  (ajabnke@cio.com) 
always  welcomes  feedback. 

I  THINK  THAT  THIS  ANALYSIS  IS  COMPLETELY  FLAWED. 

Giga  Research  analyzed  the  cost  differences  using  the  wrong 
tools.  This  is  more  of  a  J2EE  versus  .Net  cost  comparison — not 
Linux  versus  Microsoft. 

Oracle  is  more  expensive,  and  it  will  drive  the  cost  of  using 
a  Linux-based  solution  higher  than  a  Microsoft  solution.  What 
about  SAPDB,  which  contains  many  of  the  features  of  Oracle 
but  is  free?  It  is  far  more  robust  than  SQL  server,  MySQL  and 
PostgreSQL.  Firebird  is  a  good  example  too.  Obviously,  Giga 
was  paid  not  only  to  make  a  cost  comparison  but  to  make 
sure  Microsoft  came  out  on  top. 

Any  Web  application  can  be  better  off  run  on  Linux.  That’s 
all  I’ve  used;  that  is  all  I  will  ever  use.  Linux  can  easily  be 
brought  onto  the  corporate  desktop,  but  it  may  require  a  little 
more  work  than  porting  a  Microsoft  Web  server  to  Linux. 

Jason  Latonio 
CTO 

International  Securities  Lending  Exchange 


I  AM  AN  MS  DEVELOPER  AND  LIKE  TO  TOY  AROUND 

with  Linux.  I  believe  that  Microsoft’s  products  are  superior 
as  they  are  more  integrated  and  enable  me  to  produce  robust, 
powerful  solutions  easily  and  neatly.  The  largest  costs  within 
companies  sporting  custom-developed  systems  are,  after  all,  the 
salaries  of  the  developers  and  contractors — and  not  the  soft¬ 
ware  being  used. 

However,  Linux  is  improving  very  rapidly,  and  this  is  due  to 
organizations  adopting  and  contributing  to  it,  which  might 
eventually  result  in  Linux  being  the  number-one 
OS  and  the  tools  also  being  number  one.  Keep 
up  the  great  work,  Microsoft  and  all  you  Linux 
OS  dudes — remember,  competition  is  the  lifeblood 
of  our  industry. 

Stephen  Ensor 

Developer 
iQula 

AFTER  MORE  THAN  25  YEARS  USING  ALL 

sorts  of  Unix  variants  and  Microsoft  products, 
all  I  want  are  services  where  the  OS  is  transparent 
and  the  quality  of  the  service  is  measured  inde¬ 
pendent  of  the  developers’  preference  to  one  OS 
or  the  other.  Give  me  secure  appliances  for  development,  and 
I  don’t  care  if  they  run  on  Linux,  Windows,  IOS  or  some  ASIC- 
based  operating  system. 

Dennis  F.  O’Brien 

CTO 

Keynote  Security 

WE  IN  INDIA  LIKEN  BUYING  WINDOWS  OS  TO  BUYING  AN 

elephant  (minus  the  strength):  Buying  it  is  easy,  but  how  about 
maintaining  it? 

Jayakrishnan 

WORK  OUT  THE  PERCENTAGE  OF  YOUR  I.T.  BUDGET 

that  goes  on  software  and  compare  it  with  your  staff  costs.  The 
question  is  not  the  price  of  software  but  the  relative  productiv¬ 
ity  of  developers,  admins  and  users.  On  those  counts,  Microsoft 
wins  hands  down.  Linux  is  free  only  if  your  time  is  worthless. 

Bill  Smithers 

IT  Manager 

SO,  WHAT  THIS  STUDY  TELLS  ME  IS  THAT  FOR  CERTAIN 

types  of  narrowly  defined  development  projects,  targeted  for 
certain  narrowly  defined  platforms  and  environments,  I  might 
save  money  by  using  all  Microsoft  tools — if  certain  assump¬ 
tions  apply  to  my  situation.  Well,  that’s  certainly  convincing. 
But,  then  again,  I’ve  seen  the  same  caliber  of  argument  from  the 
other  side  as  well.  It  strikes  me  that  both  sides  always  argue  for 


It’s  not  shocking  that  a  study  commissioned 
by  Microsoft  should  demonstrate  the 
advantages  of  that  company’s  products  over 
Linux,  but  the  fact  that  the  study  was  commis¬ 
sioned  at  all  reveals  Microsoft’s  concern. 
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These  days,  you  are  your  information.  And  having  information  that's  less  than  accurate  is  simply  no  longer 
acceptable.  Yet  with  incompatible  data  sources  and  volume  multiplying,  how  can  you  possibly  bring  all  of 
your  data  together  and  come  up  with  a  timely  and  relevant  assessment  of  your  business  you  can  trust?  The 
answer  is  Informatica®  We  can  transform  your  disparate  enterprise  data— re¬ 
gardless  of  source  or  application— into  a  single,  manageable,  and  scalable 
resource  that  delivers  business  insight  that  is  easy  to  use,  reliable  and  auditable. 

To  learn  why  over  80%  of  the  Fortune  100  have  turned  to  our  unified  data  integration  and  business  intel¬ 
ligence  solution,  just  call  800-970-11 79,  or  visit  us  online  at  www.informatica.com.  Because  if  you're  only  as 

good  as  your  data,  this  is  how  to  always  be  at  your  very  best. 
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an  all-or-nothing  solution.  It  makes  more  sense  to  me  to  use 
whatever  platform  and  OS  are  most  appropriate,  and  then  to 
use  tools  that  are  platform  and  OS  agnostic,  such  as  Cold¬ 
Fusion.  At  least  it’s  as  easy  to  learn  as  Visual  Studio  and  more 
portable  than  PHP. 

Danny  Shaw 

Chief  Knowledge  Officer 
Children’s  Hospital  Boston 

PHP/MYSQL  DEVELOPMENT  IS  FAR  CHEAPER  AND 

easier. 

I’ve  been  developing  with  PHP  since  PHP/FI  2.0  (over  five 
years)  and  would  choose  PHP  over  any  other  existing  Web- 
based  scripting  tool  regardless  of  cost. 

It’s  fast,  powerful,  easily  extendable,  less  overhead  than  Java, 
and  very  easy  to  use  and  embed  into  HTML.  It’s  also  free  and 
you  get  the  complete  source  code. 

Giga’s  study  is  comparing  apples  to  oranges.  For  its  study  to 
have  any  merit,  it  would  have  to  compare  the  exact  same  prod¬ 
ucts  (J2EE  on  Windows  versus  J2EE  on  Linux). 

The  most  distressing  thing  about  the  publicity  over  this 
study  was  how  nearly  every  article  had  the  headline  “Win¬ 


dows  really  is  cheaper  than  Linux,”  and  far  too  many  people 
read  only  the  headlines. 

Derek  Snider 

Senior  Programmer 
Hostopia 

THE  STUDY  IS  NOT  WELL  CONDUCTED.  YOU  CAN’T 

compare  Oracle  versus  Microsoft  SQL  or  BEA  versus  Visual 
Basic  .Net.  Cost  of  purchase  using  the  same  database  server 
and  development  tool  is  clearly  against  Microsoft.  Develop¬ 
ment  costs  also  creep  in  if  you  take  into  account  the  millions  of 
lines  of  source  code  you  find  for  Linux  platforms,  enabling 
developers  to  reuse  it  or  to  see  how  things  are  done,  shorten¬ 
ing  the  development  cycle. 

Juan  Toro 

CTO 

Mediware 

IS  A  THREE-YEAR  STUDY  A  LONG  ENOUGH  TIME  FRAME? 

I  believe  it  is  a  great  flaw  in  the  calculations:  As  we  all  know, 
a  Microsoft  license  is  valid  for  only  one  product  and  may  not 
be  upgraded  free  of  charge.  Thus,  when  the  product  leaves  the 
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customer  without  support  after  the  five  years  defined  by 
Microsoft,  the  company  needs  to  acquire  an  updated  OS  once 
more.  With  Linux,  you  won’t  see  this  cost. 

Kenneth  Andresen 

Unix  Administrator 

WHY  NOT  AN  ENTIRE  OPEN-SOURCE  SOLUTION?  INSTEAD 

of  building  a  portal  from  scratch  (the  Microsoft  approach),  you 
could  get  a  full-featured  one.  The  same  open-source  community 


that  built  Linux,  Apache  and  PostgreSQL  also  delivers  great 
tools  like  Zope,  TWiki,  PHPNuke,  Drupal,  GNU  BIS  and  Slash. 

A  smart  CIO  should  at  least  evaluate  the  open-source  solu¬ 
tions  before  even  thinking  about  building  his  own. 

Qaz  Trew 

CIO 

APPLICATIONS,  LICENSES  AND  DEVELOPMENT  TOOLS 

are  not  the  only  costs.  Don’t  forget  the  expenses  of  system 
crashes,  viruses  and  other  failures  that  are  much  more  likely 
to  happen  in  the  Windows  environments  than  in  Linux. 
These  errors  not  only  affect  the  primary  user,  they  add  costs 
for  those  who  are  waiting  for  this  user  to  recover  the  error. 
This  carries  on  like  rings  on  water,  summing  up  to  a  huge 
expense.  If  Giga  Research  really  wanted  to  produce  an  inter¬ 
esting  study,  it  would  check  how  many  hours  a  week  people 
deal  with  computer  failures  on  average  in  the  two  respec¬ 
tive  computing  environments. 

Rein  Ytterberg 

Consultant 

THE  COST  OF  MICROSOFT  SOFTWARE  IS  ABOUT  5  PERCENT 

of  total  cost  of  ownership  of  IT.  The  cost  of  free  Linux  plus 

expensive  Oracle  or  BEA 
equals  more  than  low-cost 
Windows  plus  low-cost 
SQL  Server.  But  even  if  the 
Linux  platform  software 
was  cheaper,  it  is  still  more 
expensive  than  Microsoft 


because  the  people  costs  are  much  higher  (but  then  the  Linux 
bigots  wouldn’t  want  to  admit  that).  For  evidence,  go  and  read 
the  pro-J2EE  camp’s  comparison  of  developing  the  same  appli¬ 
cation.  Go  and  read  how  long  it  took  just  to  work  out  which 
bits  of  free  software  actually  work  together  ( www.middleware - 
company.  com/j2eedotnetbencb ) . 

Charles  Lancaster 

IT  Manager 

I’D  LIKE  TO  SEE  A  FEW  STUDIES  PUT  A 

number  on  the  total  hours  of  downtime  and  serv¬ 
ice  degradation  due  to  exploited  vulnerabilities 
and  botched  upgrades. 

Daniel  R.  Haney 

System  Software  Engineer 

FOR  SMALL  TO  MIDSIZE  BUSINESSES, 

who  needs  Oracle?  I  mean,  honestly,  if  you  are 
going  to  run  a  major  portal  on  Windows  would 
you  use  SQL  2000  or  Oracle?  Any  smart  person 
would  go  with  Oracle.  (Same  as  on  Linux.)  But  if  you  are  run¬ 
ning  a  small  portal  to  support  200  to  300  users,  you  could  go 
with  a  small  setup  clustered  for  load  balancing.  Who  would 
user  Oracle  in  that  situation? 

Amazon.com  moved  to  Linux  almost  two  years  ago,  and  I 
have  yet  to  hear  rumblings  of  Linux  costing  the  company  more 
money  or  causing  it  more  headaches. 

Microsoft  has  found  a  force  it  cannot  stop.  Even  if  there  is 
no  cost  savings,  nothing  can  beat  open  software.  Software  you 
can  tinker  with,  software  that  could  have  but  could  not  hide 
spyware.  Software  that  unlike  Microsoft  you  could  if  need  be 
develop  on  your  own  to  fit  your  needs. 

Tyrone  Miles 

Network  Engmeer 
USAID 

THERE  ARE  OPEN-SOURCE  ALTERNATIVES  ON  THE 

Microsoft  platform  too. 

If  we  are  to  purely  base  the  analysis  on  price  concern,  then 
don’t  forget  there  is  an  equally  large  number  of  open-source 
alternatives  on  the  Microsoft  platform  as  well.  Since  the  study 
seems  to  be  based  more  or  less  on  commercial  off-the-shelf 
software,  then  the  price-ROI  analysis  has  some  merits.  Going 
with  open-source  options  of  course  will  save  a  lot  of  initial 
investment  cost;  however,  in  my  company’s  case,  we  were 
more  concerned  with  availability  of  tech  support  and  upgrade 
options.  Such  criteria  almost  always  will  favor  commercial 
off-the-shelf  solutions. 

K.  Chen 

Software  Engineer 


Don’t  forget  the  expenses  of  system  crashes, 
viruses  and  other  failures  that  are  much  more 
likely  to  happen  in  the  Windows  environments 
than  in  Linux. 
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Brother  Printer,  Fax  and  Multi-Function  Center®  models  — 
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Considering  that  over  94%  of  Fortune  1000  company  employees*  work 
outside  corporate  headquarters,  equipping  them  with  a  cost-effective 
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The  Specter  of 
IT  Unions 

THERE  ARE  TWO  KINDS  OF  WORKERS  in  America:  those  who  work 
for  unions  and  those  who  don’t. 

Right  now,  most  high-tech  workers  are  not  union  members. 
Instead,  they  work  “at  will,”  meaning,  among  other  things, 
that  legally  they  can  be  fired  at  any  time,  notes  the  Washington 
Alliance  of  Technology  Workers,  a  West  Coast-based  advocacy 
group  for  high-tech  workers.  These  millions  of  IT  workers  put 
in  long  hours,  are  given  limited  benefits,  and  have  fading  career 
mobility  as  many  jobs  are  outsourced. 

CIOs  should  be  concerned  about  the  state  of  mind  of  their 
workers,  because  the  drumbeat  of  IT  unionization,  which  began 
in  the  frenzied  days  of  the  dotcom  era,  is  becoming  more  con¬ 
stant.  IT  workers  see  their  future  job  opportunities  threatened  by 
the  cold,  hard  realities  of  globalization  and  corporate  efficiency. 

We  reported  in  our  Sept.  15  issue  that  the  majority  of  IT 
workers  are  unhappy.  In  an  exclusive  staffing  survey,  52  percent 
of  respondents  believed  that  their  CIOs  do  not  foster  a  team 


atmosphere.  Ninety-three  percent  said  their  CIOs  don’t  spend 
enough  time  developing  leadership  within  the  department.  And 
61  percent  claimed  their  CIOs  do  not  pay  enough  attention  to 
IT  staff  morale  and  stress  levels. 

If  you  need  further  evidence  that  the  IT  rank  and  file  are 
restless,  just  visit  the  blogs  or  check  out  the  responses  to  what 
we  have  written  about  this  topic  at  www.cio.com.  The  com¬ 
ments  are  polemical.  Few  take  the  middle  ground. 

America  is  a  nation  propped  up  on  an  economic  founda¬ 
tion  built  on  the  zeros  and  ones  of  software  code.  If  IT  work¬ 
ers  were  to  unionize,  and  if  IT  workers  were  to  go  on  strike,  our 
nation’s  economy  would  be  brought  to  its  knees. 

What’s  your  take?  Are  you  happy  as  an  at-will  tech  worker? 
Do  you  think  we  will  ever  see  the  day  of  pervasive  IT  unions 
across  America?  Drop  me  a  note  to  gbeach@cio.com,  and  I 
will  share  your  responses  in  an  upcoming  column. 
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WHAT  DOES  IT 


YOU  NEED  TO  GET  SMART  FAST 


Ever  wonder  what  makes  top  CIOs  tick?  How  do  they  handle 
the  new  realities  of  the  role  in  and  outside  the  organization? 
Form  and  leverage  executive  partnerships?  Be  a  force  in  the 
IT  industry  at  large?  Expand  the  horizons  and  break  the 
bounds  of  the  CIO  position?  Turn  to  the  CIO  FOCUS™  on  THE 
ELITE  CIO:  GOING  BEYOND  THE  BASICS-actionable  infor¬ 
mation  created,  filtered  and  packaged  by  the  award-winning 
editors  of  CIO  magazine. 


CIO  FOCUS™ 

IT  Value:  Measurement  Tools 
and  Techniques  That  Work 

Software  Vendor  Relationships: 
Selecting,  Vetting  and  Managing 
Partners 


CIO  FOCUS™  is  delivered  right  to  your  desktop,  giving  you 
immediate  access  to  the  information  you  need.  And  for  your 
future  reference  needs,  the  electronic  file  is  followed  by  a 
packaged  version,  shipped  within  72  hours.  Available  now  at 
an  introductory  price. 
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Expert  Advice  to  Aspiring  CIOs  and  IT  Managers 


Aiming  for 

the  CIO  Seat 

Doing  what  you  have  to  do  to  get  where  you  want  to  go 

Q:  I  am  looking  to  move  my  career  more  into  the  technology 
arena  with  the  ultimate  goal  of  becoming  a  CIO.  I  have  an  MBA 
from  a  top-20  school,  international  experience,  10  years  in 
mid-  and  back-office  operations  at  a  top  investment  bank,  and 
I  have  run  a  Web  development  team.  Most  recently,  I  acted  as 
global  technology  coordinator  for  our  division,  managing  a 
$12  million  budget  and  developing  our  technology  strategy.  Is 
it  unrealistic  for  me  to  consider  such  a  career  move  without 
more  experience  or  education?  I  am  considering  getting  a 
master’s  in  MIS.  Do  you  think  this  would  make  any  difference? 
A:  Your  combination  of  education  and  operating  experience 
sounds  like  an  excellent  foundation  upon  which  to  continue 
progressing  toward  your  career  goal  of  becoming  a  CIO. 
Assuming  that  your  most  recent  job  refers  to  infrastructure 
planning  and  deployment,  then  the  holes  in  your  back¬ 
ground  seem  to  be  in  business  applications  development 
and  in  data  center  operations  and  networking. 

Regarding  the  former,  look  for  an  opportunity  to  leverage 
your  knowledge  of  mid-  and  back-office  operations  through 
management  of  significant  business  solutions  projects.  Regard¬ 


ing  the  latter,  the  good  news  is  that  this  part  of  the  CIO  portfolio 
of  responsibilities  is  most  often  excused  as  a  prerequisite  and 
most  easily  delegated  or  outsourced.  With  some  meaningful  sys¬ 
tems  development  and  delivery  experience  under  your  belt,  you 
can  selectively  entertain  CIO  opportunities.  While  doing  so,  also 
seek  out  a  rotational  tour  of  duty  in  IT  operations  as  a  means 
to  more  fully  prepare  for  a  top  IT  role.  And  always  seek  out 
assignments  along  the  way  that  will  give  you  experience  in  IT 
governance  and  organizational  topics.  Lastly,  guessing  that  your 
undergraduate  studies  were  not  in  a  technical  discipline,  getting 
a  master’s  degree  in  MIS  could  complement  your  B-school 
degree  quite  nicely  if  the  curriculum  you  are  considering  is 
focused  on  IT  business  issues  and  not  simply  on  technology. 

-Mark  Polansky,  managing  director  and  member 
of  the  advanced  technology  practice 
at  Korn/Ferry  International 
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ILLUSTRATION  BY  ADAM  MCCAULEY 


ERPand  CRM 


Peer  Review 


The  1 1  ll  tf !  About 

Enterprise  Software... 

as  Only  Your  Peers  Can  Tell  It. 


Trying  to  take  the  guesswork  out  of  implementing  an  ERP  or 
CRM  application  may  seem  like  an  impossible  task.  Between 
evaluating,  negotiating,  budgeting,  selecting,  and  executing 
the  plan,  the  "unknowns"  can  seem  daunting,  and  the  process 
never-ending. 

TURN  TO  YOUR  PEERS  — who  have  walked  this  path  before 
you— for  advice.  The  2002  ERP  and  CRM  Vendor  Scorecard 
from  Peerstone  Research  captures  the  challenges,  benefits, 
and  advice  from  the  true  experts  — 163  Enterprise  Application 
users  — real  practitioners  whose  experience  will  help  you  make 
the  right  decision  for  your  enterprise. 

For  only  $795,  the  2002  ERP  and  CRM  Vendor  Scorecard  is 

delivered  right  to  your  desktop  giving  you  immediate  access  to 
the  information  you  need.  Looking  for  peer-based  ratings  for 
enterprise  software  Systems  Integrators?  See  our  companion 
report,  the  2002  Systems  Integrator  Scorecard.  Printed 
copies,  volume  pricing  and  site  licenses  available  — see  our  web 
site  for  more  information. 


RESEARCH 


Your  peers  grade  the  big 
4  ERP/CRM  vendors'  performance  on 
features,  ROI,  software  quality,  ease  of 
integration,  and  vendor  services. 


Reviews  of  the  vendors  and 
verbatim  comments  from  your  peers  — 
both  pro  and  con— for  each. 


Find  out  what  your  peers  are 
saying  about  enterprise  applications' 
ability  to  create  value,  how  to  derive  the 
maximum  benefit  from  ERP  or  CRM,  and 
all  the  other  implementation  questions 
keeping  you  up  at  night. 
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Career  Counsel 


EXECUTIVE  FORECAST? 

Q:  I  have  more  than  25  years’  experience  in  the  IT  field,  with 
degrees  in  electrical  engineering  and  computer  science.  At 
the  end  of  this  year,  I  will  have  business  management  and 
information  resource  management  degrees.  I  have  held  posi¬ 
tions  from  network  engineer  to  director  of  national  engineer¬ 
ing.  Currently,  I  am  consulting  the  federal  government  on 
homeland  security  projects,  serving  as  a  project  manager  and 
senior  research  scientist. 

I  have  what  everyone  says  is  an  excellent  resume  with  a 
diverse  background.  However,  I  have  not  managed  to  make 
proper  contacts  leading  to  interviews,  even  though  I  am  listed 
with  more  than  15  recruiters  and  on  most  major  job  boards.  I 
am  looking  for  a  CTO  or  vice  president  of  technology  position. 
What  is  the  forecast  for  executive-level  positions  during  the 
next  year?  How  can  I  position  myself  for  better  exposure? 

A:  At  this  point,  the  forecast  for  the  next  year  for  CTO-type 
roles  is  anybody’s  guess,  but  from  what  we  are  seeing,  the 
demand  is  likely  to  stay  somewhat  soft.  When  the  economy 


picks  up  and  we  see  three  to  four  months  in  a  row  of  strong 
indicators  that  the  world  marketplace  is  on  the  rebound,  then 
I  suspect  that  corporations  will  begin  to  plan  for  additional 
initiatives  that  have  been  put  on  the  back  burner.  The  hiring 
phase,  then,  will  lag  the  economy’s  growth  by  about  three  to 
six  months. 

In  order  to  get  more  exposure  and  job  interviews,  you  must 
put  in  several  hours  a  day  of  dedicated  time  and  effort.  You 
need  to  network  with  friends  and  acquaintances.  Get  in  front  of 
some  company  executives,  and  conduct  information  interviews 
to  find  out  what  they  perceive  will  be  in  demand  for  technolo¬ 
gists  in  their  companies  when  there  is  a  rebound.  Also  be  sure 
your  resume  is  clear  and  accomplishment-oriented — that  it 
speaks  to  your  ability  to  work  successfully  in  a  variety  of  roles 
and  highlights  cases  where  you  achieved  bottom-line  results  for 
your  employers. 


Have  a  Career  Question? 


Visit  the  online  CAREER  COUNSELOR  at 

www.cio.com/counselor  to  ask  our  experts 
your  questions  and  browse  their  answers. 

cio.com 


best  way  to  find  these  recruiters  is  to  ask  senior  human 
resources  executives  who  they  use  and  like.  Also  ask  friends 
and  colleagues  whom  they  have  worked  with  and  respect.  See 
if  you  can  use  a  friend  or  colleague’s  name  to  help  you  get 
access  to  the  senior  recruiter  in  a  search  firm.  Utilizing  your 
network  can  have  a  multiplying  effect  that  takes  place  once 
you  get  the  ball  rolling,  and  you  will  find  that  this  is  often  the 
way  to  get  you  your  best  job-search  results. 

Getting  in  front  of  an  employer  requires  that  you  excel  in  a 
job  interview.  You  might  want  to  ask  a  friend  to  critique  your 
resume  and  listen  to  you  describe  your  accomplishments.  Some 
executives  even  hire  a  professional  coach  to  ensure  that  they  are 
maximizing  their  skills.  HR  folks  are  often  a  good  resource  for 
knowing  good  coaches. 

-Beverly  Lieherman, 
president  of  Halbrecht  Lieberman  Associates 

PRESENTING  MY  CASE 

Q:  I  am  a  22-year  IT  veteran  with  a  range  of  different  experi¬ 
ences.  Most  recently,  I  have  gone  full  time  as  an  independent 

consultant,  specializing  in  IT  man¬ 
agement  and  project  management.  I 
have  been  with  my  primary  client  as 
its  top  IT  adviser  for  nearly  six  years. 
Now  that  I  have  my  master's  in  IT 
management,  I  would  like  to  move 
into  a  little  more  challenging  assign¬ 
ment,  eventually  aiming  for  a  CIO 
position  with  a  midsize  company. 

For  most  of  my  career  (all  but  the  past  two  years),  I  have 
held  multiple,  simultaneous  positions.  I  understand  that  a 
chronological  resume  is  best  for  this  type  of  job  search.  How 
do  I  present  my  employment  history  in  a  logical  format  that 
doesn’t  take  too  much  space?  Or  is  it  better  to  tough  it  out 
with  the  functional  format  in  my  case? 

A:  In  your  situation,  my  recommendation  would  be  to  create 
both  a  functional  and  chronological  resume.  Recruiters  typ¬ 
ically  review  resumes  looking  for  a  match  between  a  client 
need  and  candidate  skills.  Recruiters  look  for  functional 
positions,  industry  experience  and  leadership  capability, 
and  the  functional  resume  helps  highlight  what  you  have 
accomplished  in  a  crisp,  easy-to-read  fashion.  Once  you 
have  captured  readers’  attention  with  your  functional  expe¬ 
rience  and  strengths,  they  will  be  motivated  to  learn  more 
about  what  you  have  accomplished. 

Your  chronological  resume  should  be  complete  but  concise. 
Where  you  have  worked  on  several  projects  concurrently,  indi¬ 
cate  so.  Make  sure  it  is  easy  to  read,  though,  with  no  gaps  or 
time  lapses  between  projects  or  assignments.  In  addition,  since 
you  have  been  working  in  a  consultant  capacity,  I  recommend 


See  if  you  can  use  a  friend  or  colleague’s  name 
to  help  you  get  access  to  the  senior  recruiter 
in  a  search  firm. 


It  is  also  a  good  idea  to 
contact  half  a  dozen  very 
good  executive  recruiters. 
However,  cold  calling 
does  not  work  very  well 
in  this  job  market.  The 
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'here’s  a  communications  network  we  can  all  learn  from 


You  already  have  an  incredibly  efficient  communication  network  -  your  people.  BT  can  offer  you  complete  business  solutions  to 
orchestrate  that  natural  potential  in  your  business.  We  work  with  5,000  companies  and  have  more  than  17  years  of  global  account 
management  experience.  Which  means  that  we  have  the  experience  but  you  have  an  inbuilt  infrastructure  that  is  infinitely  more 
valuable. ..people.  Because  we  understand  that  in  business,  communication  is  everything. 


www.bt.com/globalservices 
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you  prepare  a  list  of  references  with  names,  titles,  addresses 
and  phone  numbers  that  you  should  make  available  to  inter¬ 
ested  parties. 

You  have  clearly  accomplished  a  great  deal  in  your  long 
career.  I  would  lead  with  the  functional  resume.  Interested  par¬ 
ties  will  read  on  and  seek  you  when  they  see  a  match. 

- Gerry  McNamara, 
partner  of  Heidrick  &  Struggles 

WHAT’S  MY  FUTURE? 

Q:  I  have  postgraduate  training  in  computer  science  and  have 
13  years  of  widely  mixed  experience  in  software  development, 
training,  project  management  and  quality  assurance.  I  also 
have  more  than  three  years  of  entrepreneurship  experience  in 
these  fields.  Currently,  I  am  working  in  presales  and  sales  sup¬ 
port  for  an  IT  services  organization.  What  are  my  future  growth 
prospects,  and  how  should  I  shape  my  career  going  forward? 

A:  In  order  to  decide  on  a  future  direction  for  your  career, 


To  decide  on  a  future  direction  for  your  career, 
consider  what  you  enjoy  most  about  the  kind  of 
work  you  have  been  doing  and  the  type  of  work 
environment  that  suits  you  best. 


doing  my  best  to  support  the  team  and  the  company.  I  want  to 
be  fair  to  the  company  and  myself.  Should  I  continue  until  I  find 
a  position  more  aligned  with  my  career  aspirations,  or  should  I 
just  walk  away  now  to  totally  focus  on  new  opportunities? 

A:  The  old  adage  is  quite  true:  “It  is  easier  to  find  a  job  when 
you  are  employed.”  Being  unemployed  while  job  hunting 
always  leaves  some  room  for  doubt:  Was  there  a  problem? 
Was  she  performing  well?  This  is  especially  true  in  a  market 
such  as  this  one  in  which  many  poorer  performers  have  been 
let  go  under  the  umbrella  of  cost  reduction. 

Since  you  said  that  you  are  doing  your  professional  best  under 
the  circumstances,  then  it  would  seem  that  you  are  being  as  fair 
as  possible  to  your  employer.  In  fairness  to  yourself,  you  should 
be  keeping  your  eyes  and  ears  open  to  the  market,  and  selectively 
making  contact  with  top  recruiters  to  let  them  know  that  you 
are  available  to  be  considered  for  larger-scale  opportunities. 

Time  is  on  your  side  as  the  job  market  continues  to  slowly 
improve  and  your  tenure  at  this  “interim”  position  increases, 

thereby  mitigating  an  early  departure. 
Most  of  all,  being  employed  but  look¬ 
ing  tells  prospective  employers  that  the 
choice  to  move  on  is  yours  alone. 

-M.P. 


MUSICAL  CHAIRS 


you  need  to  consider  what  you  enjoy  most  about  the  kind  of 
work  you  have  been  doing  and  the  type  of  work  environ¬ 
ment  that  suits  you  best.  It  seems  that,  should  you  continue 
on  your  current  track,  an  option  is  to  work  for  technology 
products  or  services  companies.  These  types  of  roles  include 
leading  product  development  initiatives  as  well  as  market¬ 
ing  and  business  development.  Positions  that  tend  to  offer 
the  biggest  financial  rewards  are  those  in  sales.  The  senior- 
most  roles  in  vendor  organizations  tend  to  be  filled  by  exec¬ 
utives  who  have  marketing  and  customer  management 
backgrounds. 

Another  option  is  to  pursue  management  roles  in  large  cor¬ 
porations.  These  include  leading  large-scale  systems  integration 
projects,  such  as  ERP  implementations,  and  are  often  multi¬ 
year  projects  and  can  include  global  responsibilities.  Having 
global  experience  at  a  senior  project  and  management  level  will 
position  your  career  to  be  tracking  a  CIO  role  or  equivalent. 

-B.L. 

UNHAPPY  NOW 

Q:  I  took  a  CIO  position  at  a  smaller  company  because  I  needed 
a  job.  However,  my  heart  is  not  in  it.  As  a  professional,  I  am 


Q:  I  have  worked  for  the  same  boss  for 
12  years,  and  my  career  has  pro¬ 
gressed  well  under  his  direction.  How¬ 
ever,  my  boss  has  no  aspirations  to  move  up  to  the  next  level. 
My  next  promotion  would  be  to  his  level.  I  am  considering 
breaking  my  loyalty  to  him  to  move  up.  I  would  like  to  do  it 
within  the  same  organization.  How  should  I  approach  the  CIO 
with  this  request? 

A:  The  simple  answer  to  your  question  is  to  approach  your 
CIO  directly — as  soon  as  possible.  Your  ambition  to  ascend 
to  the  level  of  organizational  recognition  and  responsibility 
currently  enjoyed  by  your  boss  would  not  be  interpreted  as 
disloyal  by  any  thinking  person.  Remember,  you  have  given 
as  well  as  received  direction  from  your  superior  during  a  12- 
year  period  of  continuous  employment.  That’s  the  very  defi¬ 
nition  of  loyalty.  But  now  your  loyalty — your  allegiance  and 
responsibility — is  to  yourself  and  your  career.  If  your  boss  is 
a  true  friend,  mentor  and  supporter,  he  will  encourage  and 
applaud  your  continuing  success,  and  should  prove  to  be  a 
valued  peer  in  the  future.  -M.P  BE] 

The  Web-based  Executive  Career  Counsel  column,  found  at 
www.cio.com/counselor,  is  edited  by  Director  of  Online  Research 
Kathleen  Kotwica  ( kkotwica@cio.com ).  Answers  are  provided  by 
Beverly  Lieberman,  Gerry  McNamara  and  Mark  Polansky. 


12  6  CIO  NOVEMBER  1,  2003 


www.cio.com 


The  Wizard  of  ? 


Location  matters.  I _ 

Because  without  it,  you  don't  have  the  whole  story. 

Is  a  web  visitor  in  Kansas  or  not?  Are  they  using  their  true  identity  or  hiding  behind  a 
curtain  of  secrecy?  You  can  ask  for  location  verification,  but  how  do  you  know  the  truth? 

With  Quova's  GeoPoint  geolocation  technology,  companies  can  determine  the  real-world 
location  of  a  website  visitor  -  all  the  way  down  to  their  city.  And  that  can  help  you 
avoid  doing  business  with  the  wrong  people.  Using  Quova's  unique  closed-loop 
methodology,  GeoPoint  lets  you  authenticate  users,  manage  access  and  configure 
intrusion  detection  to  block  traffic  from  high  risk  IP  domains.  Giving  more  proxy 
information  than  any  other  provider,  GeoPoint  even  offers  network  connection  and 
performance  data  with  pinpoint  accuracy. 

With  Quova's  fully  integrated  enterprise  solutions,  companies  have  unparalleled 
confidence  in  their  network  security  plans  and  compliance  activities. 


Get  the  whole  story.  Call  Quova  today: 

1-877-737-8682 


O  U  OVA 

MAKING  LOCATION  MATTER 


www.quova.com 
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End-to-end  business  intelligence. 
One  BI  vendor.  IT  nirvana. 

Business  Intelligence  from  Business  Objects 


There  are  basically  two  ways  for  IT  to  implement 
your  enterprise  business  intelligence  solution. 
You  could  try  to  cobble  together  pieces  from 
multiple  vendors.  Or  you  can  choose 
BusinessObjects'1  Enterprise  6  from 
Business  Objects.  And  experience 
end-to-end  business  intelligence 
for  your  entire  enterprise. 

With  Enterprise  6,  you'll  be  able  to  provide  a 
complete  suite  of  integrated  business  intelligence 
software  that  meets  the  needs  of  all  your  users. 
It  includes  the  industry's  best  web  query, 
reporting,  and  analysis  capabilities.  The  most 
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Data  Sources 


advanced  and  complete  suite  of  analytic 
applications.  The  best  packaged  application 
connectivity.  And,  of  course,  end-to-end  product 
integration.  Today,  more  than  17,500 
companies  rely  on  award-winning 
Business  Objects  business  intelligence 
solutions  to  track,  understand,  and 
manage  enterprise  performance. 
Perhaps  you  should,  too.  To  get  started,  view  our 
BusinessObjects  Enterprise  6  interactive  product 
demonstration  or  download  our  free  technical 
white  paper  at  www.businessobjects.com/e2e. 
And  indulge  yourself  in  IT  nirvana. 
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How  comfortable  do  you 
find  the  hot  seat?  E-mail 
Leadership  and  Management 
Editor  Edward  Prewitt  at 
hotseat@cio.com. 


CIOs  in  a  Class  by  Themselves 

Leadership  training  courses  target  what’s  different  about  IT  execs 

BY  MEGAN  SANTOSUS 


With  the  credibility  and  ultimate  value 
of  IT  under  a  microscope  these  days, 
CIOs  must  demonstrate  solid  leadership 
skills,  both  within  their  IT  departments 
and  among  other,  non-IT  executives.  To 
meet  the  specific  training  needs  of  CIOs, 
a  few  programs  that  focus  exclusively  on 
IT  leadership  have  cropped  up.  They 
offer  differing  perspectives  and  content, 
but  each  is  aimed  at  making  CIOs  better, 
more  credible  corporate  leaders. 

CIOs  have  had  training  options  for  as 
long  as  executive  education  has  been 
around.  Yet  leadership  guru  Barry  Pos¬ 
ner,  who  conducts  training  programs  for 
both  IT  and  general  business  executives, 
makes  a  case  for  CIOs  to  attend  IT- 
specific  events.  “For  IT  folks,  it’s  helpful 
to  get  together  with  other  IT  folks.  IT 
participants  get  left  behind  in  programs 
that  I  teach  with  people  from  other  disci¬ 
plines,”  says  Posner,  who  is  dean  and 
professor  of  leadership  at  Santa  Clara 
University’s  Leavey  School  of  Business 
and  coauthor  of  a  best-selling  book  on 
leadership.  He  points  to  the  newness  of 
the  CIO  position  among  executive  ranks. 
By  the  time  people  reach  senior  leader¬ 
ship  levels  in  IT,  Posner  says,  they  usually 
haven’t  had  comparable  experiences  in 
sales,  manufacturing  or  finance — unlike 
CEOs,  CFOs  and  COOs,  who  tradition¬ 
ally  rotate  through  different  high-level 
jobs.  “A  lot  of  people  who  have  come  up 
fairly  quickly  in  the  IT  function  have 
done  so  largely  by  putting  out  fires  in 
technology,”  Posner  says. 

Being  reactive  is  not  the  kind  of  lead¬ 
ership  skill  that  CIOs  need  for  success 
right  now.  Posner,  along  with  Pete  DeLisi 
and  Ron  Danielson,  launched  the  Infor¬ 
mation  Technology  Leadership  Program 
(ITLP)  at  Santa  Clara  based  on  research 


they  had  conducted  on  the  CIO  role.  The 
trio  asked  CEOs  what  skills  CIOs  needed 
to  be  successful.  They  found  that  CIOs 
typically  lacked  the  leadership  traits 
needed  to  become  a  major  player  on  the 
executive  team. 

The  IT  Leadership  Program  empha¬ 
sizes  skills-based  training  centered  around 
strategic  thinking,  consulting,  and  effec- 


Joe  Hungate,  CIO  for  the  Treasury  Inspector 
General  for  Tax  Administration,  got  the 
idea  to  set  up  an  IT  business  council  from 
Meta  Group's  CIO  Boot  Camp. 

tive  management  and  leadership.  Now  in 
its  eighth  year,  the  program  is  offered 
twice  annually  as  a  three-day  gathering. 
In  case  studies  and  role-playing  exercises, 
participants  are  not  simply  taught  about 
skills  such  as  influence  and  relationship¬ 
building;  they  have  to  practice  them.  Small 
teams  of  attendees  get  a  business  problem 
to  solve — for  example,  a  vice  president  of 
marketing  asks  for  IT’s  help  to  boost  busi¬ 
ness.  Team  members  have  to  use  ques¬ 
tioning  skills  to  gather  information, 
negotiation  and  influencing  skills  to  make 
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decisions,  and  commu¬ 
nication  skills  to  pres¬ 
ent  a  final  proposal. 
Throughout,  partici¬ 
pants  are  coached  on 
their  performances. 

In  addition,  attendees  glean  leadership 
tips  from  peers,  some  of  whom  come  in 
with  their  CEO  in  tow.  DeLisi  describes 
the  IT  Leadership  Program  as  a  support 
group,  allowing  participants  to  talk  about 
shared  problems. 

Getting  that  peer  perspective  is  what 
led  Rahul  Belani  to  attend  the  Santa 
Clara  program  in  the  fall  of  2002.  As  sen¬ 
ior  vice  president  and  CTO  at  publisher 
Jane’s  Information  Group,  Belani  was 
looking  for  advice  about  raising  IT’s  pro¬ 
file  within  the  company.  “I  was  interested 
in  best  practices  for  learning  what  the 
business  expects  and  communicating 
value,”  he  says. 

While  Belani  says  he  was  satisfied 
with  the  session,  he  didn’t  come  away 
from  it  with  a  host  of  newfound  lessons. 
Instead,  he  found  that  the  program’s 
“commonsense”  content  provided  him 
with  “a  refresher  on  what  you  should 
be  doing,”  he  says.  Because  of  the  IT 
Leadership  Program,  Belani  now  takes  a 
different  approach  to  communicating 


what  IT  does  for  the  company.  In  tran¬ 
sitioning  content  management  services 
from  HTML  to  XML,  for  example, 
Belani  refrained  from  waxing  about  the 
relative  merits  of  the  new  technology. 
Instead,  he  emphasized  how  a  new  for¬ 
mat  would  let  the  company  more  effec¬ 
tively  reuse  content  and  give  customers 
access  to  information  and  analysis. 

To  close  the  communication  gap 
between  himself  and  his  peers,  Joe  Hun- 
gate,  CIO  for  the  Treasury  Inspector  Gen¬ 
eral  for  Tax  Administration,  turned  to 
Meta  Group’s  CIO  Boot  Camp.  Hungate 
felt  that  his  ability  to  work  effectively  with 
executives  outside  of  IT  was  hampered  by 
his  background.  “Having  come  from  the 
IT  ranks,  my  business  jargon  tends  to  be 
acronym-laden,  and  I  make  assumptions 
about  people’s  understanding  of  technol¬ 
ogy,”  he  says.  In  April,  he  attended  the 
Meta  program,  which  emphasizes  estab¬ 
lishing  IT’s  credibility  and  demonstrating 
IT’s  value. 

The  4-year-old  CIO  Boot  Camp  runs 
for  two-and-a-half  days  of  intense  ses¬ 
sions.  Taught  by  Meta  analysts,  the  Boot 
Camp  covers  plenty  of  operations- 
oriented  material,  such  as  IT  portfolio 
management,  infrastructure,  enterprise 
architecture  and  governance.  And  like  the 


Santa  Clara  offering,  Meta’s  program 
uses  case  studies  and  group  exercises.  But 
one  major  point  of  difference  between  the 
two  programs  is  the  target  audience. 
While  both  programs  are  geared  for 
CIOs  wanting  to  further  establish  them¬ 
selves  as  corporate  leaders,  the  Meta  Boot 
Camp  is  open  to  non-IT  executives.  A 
former  COO  from  Hungate’s  office 
attended  the  program  last  year.  “IT  is 
becoming  increasingly  more  pervasive,” 
Hungate  says.  “People  stepping  up  to  the 
boardroom  need  to  be  IT-sawy.” 

Hungate  says  the  Meta  program  didn’t 
formally  address  what  he  considers  a 
tricky  aspect  of  leadership — developing 
camaraderie  among  colleagues.  But  the  les¬ 
sons  on  communicating  IT’s  value  were 
particularly  useful.  After  returning  from 
the  Boot  Camp,  he  created  an  IT  business 
council  for  his  Treasury  Inspector  Gen¬ 
eral’s  office.  Composed  of  non-IT  execu¬ 
tives,  the  council  provides  a  direct  way  for 
IT  to  gather  project  requirements  and 
establish  metrics  that  support  the  business 
perspective.  “It  gets  more  people  involved 
in  the  IT  decision-making  process,”  Hun¬ 
gate  says,  adding  that  IT  and  business 
managers  have  gained  a  better  under¬ 
standing  of  one  another  in  the  process. 

Meta  isn’t  the  only  consulting  com- 
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I.T.  EXECUTIVE  EDUCATION 


CIO  Leadership  Programs  at  a  Glance 


PROGRAM 

SPONSOR 

AUDIENCE 

APPROACH 

Information  Technology 
Leadership  Program 

Santa  Clara  University 

CIOs  looking  to  improve 
their  executive-level  skills 
and  IT  professionals  aspiring 
to  become  CIOs 

Uses  case  studies  and  brings  in 
real-world  CIOs  to  help  attendees 
augment  technical  knowledge 
with  general  management  skills 

CIO  Boot  Camp 

Meta  Group 

CIOs  and  their  executive-level 
counterparts 

Led  by  Meta  analysts  who  focus 
on  defining  and  delivering  IT  value 

Gartner  CIO 

Boot  Camp 

Gartner  Executive 

Programs 

CIOs  looking  to  identify 
and  improve  their  weakest 
leadership  skills 

Customized  content  and 
individual  action  plans 

Healthcare  CIO 

Boot  Camp 

College  of  Healthcare 
Information  Management 
Executives 

Up-and-coming  CIOs,  IT  man¬ 
agers,  and  non-CIO  executives 
in  the  health-care  industry 

Experienced  health-care  CIOs 
mentor  attendees  in  seven 

factors  of  success 
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pany  in  the  IT  leader¬ 
ship  training  business. 
In  February,  Gartner 
launched  its  own  ver¬ 
sion  of  a  boot  camp,  a 
three-and-a-half-day 
program  that’s  designed  around  six 
“imperatives”  for  CIOs.  These  high-level 
agenda  items — lead,  anticipate,  strategize, 
organize,  deliver  and  measure — represent 
“the  lifecycle  of  things  a  CIO  needs  to  do 
well  to  succeed,”  says  Diana  Cirillo,  vice 
president  of  product  strategy  at  Gartner 
Executive  Programs,  the  membership- 
based  organization  that  runs  the  program. 

Gartner’s  boot  camp  uses  case  studies 
and  invites  guest  speaker  CIOs  and  non- 
IT  executives  to  share  their  experiences 
and  impart  their  perspectives.  The  Gart¬ 
ner  program  tries  to  tailor  each  session’s 
content  to  the  strengths  and  weaknesses 
of  the  group.  Before  arriving  at  the  pro¬ 
gram,  attendees  complete  a  personal  diag¬ 
nostic  analysis  that’s  used  to  shape  the 
curriculum. 

While  Gartner  sees  the  customizable 
content  as  a  selling  point,  Cirillo  says  the 
program’s  real  strength  is  the  network¬ 
ing  opportunity  it  affords  CIOs.  That 
was  born  out  for  Barry  West,  CIO  at  the 
National  Weather  Service,  who  attended 
Gartner’s  inaugural  program.  “I  started 
as  a  programmer  and  came  through  the 
ranks  of  IT,”  he  says.  “Networking  with 
industry  CIOs  gave  me  a  good  perspec¬ 
tive  on  some  of  the  challenges  they  face 
things  like  IT  security  and  tying  service 
back  to  performance  metrics.” 

Federal  government  CIOs  such  as  West 
can  also  attend  training  programs  specif¬ 
ically  targeted  at  them.  The  CIO  Univer¬ 
sity,  a  consortium  of  universities  that 
offers  courses  on  a  broad  range  of  topics, 
was  formed  in  1999  to  build  expertise 
among  government  CIOs  (for  more  about 
the  consortium,  see  “Advanced  Leader¬ 
ship  Learning”  at  www.cio.com/print 
links).  And  now  health-care  CIOs  have  a 
program  just  for  them  too.  The  College 


MANAGEMENT  REPORTS 

Personality  Profiling 


Natural-Born  Leaders, 
Meet  Your  Inner  Managers 

Do  personality  “tests”  such  as  the 
Myers-Briggs  profile  really  reveal  how 
people  think  and  work?  And  if  so,  can 
test-takers  change  their  personalities 
to  shore  up  weaknesses? 

In  a  newly  published  book,  two 
academics  focusing  on  leadership 
studies,  Roy  Williams  and  Terrence 
Deal,  use  Myers-Briggs  and  another 
model  of  cognitive  styles  to  examine 
leadership  and  managerial  roles.  They 
conclude  that,  while  people  are  indeed 
predisposed  to  think  and  act  in  certain 
ways,  the  best  executives  consciously 
combine  different  personality  attrib¬ 
utes.  This  enables  them  to  respond 
effectively  to  a  variety  of  situations. 

In  When  Opposites  Dance:  Balanc¬ 
ing  the  Manager  and  Leader  Within, 
Williams  and  Deal  define  four  types 
of  executives: 

■  Rationalists,  who  value  sound 
thinking  and  work  through  organiza¬ 
tional  structure  to  accomplish  tasks. 

■  Politicists,  who  view  group 
dynamics  from  a  power  perspective 
and  are  adept  at  politics. 

■  Humanists,  who  are  attuned  to 
organizational  moods  and  regard 
people  as  a  company’s  top  asset. 

■  Culturists,  who  consider  culture 
the  preeminent  force  in  an  organiza¬ 
tion  and  communicate  through 
stories,  ceremonies  and  rituals. 

Humanists  and  culturists  make 
natural  leaders  because  leadership  is 
a  matter  of  appealing  to  individuals, 
the  authors  assert.  Rationalists  and 
politicists  behave  more  naturally  as 
managers  because  these  types  focus 
on  organizational  qualities.  Whatever 
the  preferred  approach,  though, 


success  over  the  long  term  depends 
on  being  able  to  embrace  other  styles 
of  thinking.  Environments  change  and 
new  challenges  surface. 

Former  New  York  City  Mayor 
Rudolph  Giuliani,  for  instance,  built 
his  career  on  being  a  tough-minded 
rationalist  manager.  In  the  aftermath 
of  9/11,  though,  Giuliani  was  able  to 
morph  into  a  compassionate  leader,  a 
humanist  and  culturist  of  the  highest 
order.  Contrast  that  with  the  examples 
of  Ken  Lay  and  Jeffrey  Skilling,  the  ex¬ 


chairman  and  ex-CEO  of  Enron.  In  an 
intense  socialization  process  dubbed 
“Enronizing,”  these  two  culturists  led 
a  once-plodding  gas  pipeline  com¬ 
pany  to  a  new  identity  as  the  self- 
proclaimed  “World’s  Best  Company.” 
The  financial  and  managerial  controls 
that  would  have  been  provided  by  a 
rationalist  were  notably  absent. 

Natural-born  leaders  often  want  to 
delegate  what  they  view  as  annoying 
details  to  a  COO-type  subordinate. 
That  sometimes  works,  say  Williams 
and  Deal,  but  the  best  executives 
recognize  the  multiplicity  of  organiza¬ 
tional  life,  and  look  for  their  inner 
leader  and  manager  alike. 

-Edward  Prewitt 
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of  Healthcare  Infor¬ 
mation  Management 
Executives  (CHIME) 
launched  its  three-day 
Healthcare  CIO  Boot 
Camp  in  October. 
Taught  by  industry  CIOs  and  aimed  at 
aspiring  CIOs,  the  curriculum  uses  case 
studies  and  war  stories  centered  around 
seven  success  factors:  setting  vision  and 
strategy,  integrating  IT  for  business  suc¬ 
cess,  making  change  happen,  demonstrat¬ 
ing  IT’s  business  value,  instilling  customer 
service  as  a  core  value,  building  a  high- 
performance  IS  organization  and  culti¬ 
vating  a  collaborative  atmosphere.  The 
response  to  the  program  has  been 
strong  enough  that  CHIME  is  consider¬ 
ing  whether  to  offer  it  twice  a  year,  says 
Keith  Fraidenburg,  the  group’s  vice  presi¬ 
dent  of  education  and  communications. 


“IT  participants 
get  left  behind  in 
programs  that  I  teach 
with  people  from 
other  disciplines.” 

-Barry  Posner,  dean  and 
professor  of  leadership, 
Leavey  School  of  Business, 
Santa  Clara  University 


With  IT-specific  programs  lasting  three 
days  at  most,  however,  CIOs  who  attend 
them  shouldn’t  expect  to  become  exem¬ 
plary  leaders  overnight.  Yet  there’s  value 
in  getting  away  from  the  office,  sitting 
down  with  peers  and  focusing  exclusively 
on  leadership  challenges.  Santa  Clara’s 
DeLisi  characterizes  his  IT  Leadership 
Program  as  an  encounter  that  gives  atten¬ 
dees  a  taste  of  leadership  skills — skills  he 
expects  CIOs  to  refine  as  they  advance  in 
their  careers.  K3E1 


Send  comments  to  hotseat@cio.com.  Megan 
Santosus  is  a  senior  editor  at  CIO. 


Leadership  Agenda  by susan h.cramm 

Project  Courage 

How  to  sidestep  the  organizational  death  march 

Another  failed  project— stumbling  over  (or  short  of)  the 
finish  line,  millions  over  budget,  with  the  survivors  gasp¬ 
ing  for  breath  as  they  try  to  make  sense  of  the  past  two  or 
three  years  of  their  lives.  The  ultimate  cost  of  these  “death 
march”  projects  (a  term  coined  by  software  engineering 
guru  Edward  Yourdon)  is  beyond  what  any  organization 
can  afford  to  pay.  These  projects  cut  the  creative  and  risk¬ 
taking  soul  out  of  an  organization.  Good  people  leave,  survivors  hide,  and  cynics 
abound.  These  projects  might  not  constitute  a  large  portion  of  your  total  project 
portfolio,  but  they  account  for  a  very  large  portion  of  expenditures  and  credibil¬ 
ity  (or  lack  thereof). 

Death  march  projects  don’t  evolve  into  disasters  by  accident;  the  seeds  of 
destruction  are  planted  at  inception.  The  sad  fact  is  that  there  are  many  in  IT 
who  know  in  advance  that  these  projects  are  doomed  to  failure.  Death  march 
projects  exist  because  IT  professionals  choose  to  take  the  path  of  least  resist¬ 
ance  and  hear  what  they  want  to  hear,  do  what  they  are  told  and  hope  for  mira¬ 
cles.  The  only  antidote  for  death  march  projects  is  courage.  Not  the  “take  this 
job  and  shove  it”  type  of  courage,  but  the  courage  to  pull  victory  out  of  the  jaws 
of  defeat  by  breaking  apart  the  toxic  combination  of  time,  scope,  resources  and 
risk  that  defines  a  death  march  project.  Consider  the  following  actions  as  you 
manage  the  most  toxic  elements  of  difficult  projects. 

TRUMP  THEM  ON  TIME  FRAME.  Demand  that  the  IT  organization  figure  out 
how  to  deliver  something  quicker  than  the  prescribed  time  frame,  rather  than 
fighting  the  battle  of  “It  can’t  be  done  and  this  is  why.”  If  you  make  the  time 
frame  short  enough,  it’s  easier  for  everybody— in  IT  and  on  the  business  side— 
to  see  what  is  possible  and  what  is  not.  Introducing  an  across-the-board, 
mandatory  time  box  of  six  months  for  business  value  delivery  is  powerful 
because  it  gets  everybody  to  master  the  art  of  making  hard  choices.  One  CIO 
calls  this  the  game  of  sequencing  versus  prioritization.  Just  because  some¬ 
thing  is  a  top  priority  doesn't  mean  that  the  solution  is  close  at  hand.  In  fact, 
it’s  quite  the  opposite.  If  something  is  a  top  priority,  there  are  good  reasons 
why  it  has  been  allowed  to  persist.  The  trick  is  to  identify  and  sequence  those 
activities  (read;  smaller,  quick-cycle,  learning-based  initiatives)  that  help  the 
organization  better  understand  the  problem. 

PLAY  THE  NUMBERS  GAME.  Demand  a  business  case  that  makes  sense, 
and  then  use  it  to  filter  the  requirements  and  manage  the  project  scope.  Use 
the  “results  chain”  concept  discussed  in  John  Thorp's  book,  The  Information 
Paradox,  to  ensure  that  the  benefits  are  well  defined  and  the  work  necessary 
to  mine  them  is  well  understood.  Require  that  every  request  for  additional 
funding  is  bounced  against  the  original  business  case.  Kill  projects,  in  the 
words  of  one  CIO,  “once  the  budget  has  been  adjusted  twice  and  there  is  still 
no  beta-level  deployment.” 
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confirmed  that  the  Dell  PowerConnect  3348  outperformed 
industry  leaders  by  as  much  as  48%.  Plus,  PowerConnect 
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switches  are  highly  interoperable,  scalable  and  perfect  for 
building  a  first-time  network  or  expanding  an  existing  one.  So 
bring  Dell's  cost-saving,  one-of-a-kind  performance  to  your 
LAN  and  start  playing  on  a  field  where  the  advantage  is  yours. 


Dell  PowerConnect  3348  Outperforms  the  Cisco  Catalyst  2950  by  48%  and 
3COM  SuperStack  3  Switch  4400  by  30%  in  Layer  2  Throughput  Tests’.' 

Tolly  Group  Report  #203116  —  September  2003 
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Hot 
Seat 


Learn  to  under¬ 
stand  the  historical 
relationship  be¬ 
tween  work  effort 
(a.k.a.  the  dreaded 
function  points)  and 
resources  and  time  so  that  your  organ¬ 
ization  has  credible  estimating  data. 
Build  your  capability  to  monitor 
progress— rather  than  effort— by 
leveraging  use  cases,  visual  prototypes 
and  “daily  builds.” 

STACK  THE  DECK.  Make  sure  there 
is  real  sponsorship  for  a  project  by 
ensuring  that  responsibility  for  spe¬ 
cific  business  results  (operational  as 
well  as  financial)  is  assigned  to  busi¬ 
ness  sponsors.  Keep  project  accounta¬ 
bility  simple  by  keeping  it  “single 
nose.”  Select  a  project  executive  who 
is  acceptable  to  both  you  and  the 
sponsors,  and  let  him  have  the  author¬ 
ity  to  do  things  (for  instance,  team 
selection,  facilities,  equipment,  tools, 
processes  and  technology).  Make  the 
project  management  office  work  for 
the  project  executive  (rather  than  the 
other  way  around)  by  adding  value 
rather  than  bureaucracy.  Don’t  intro¬ 
duce  any  new  processes,  tools  or 
technology,  and  keep  the  team  exempt 
from  all  overhead  activities. 

SORT  IT  OUT  EARLY.  Neutralizing 
the  toxic  elements  of  death  march 
projects  requires  that  you  get  started 
on  developing  the  policies  and  skills 
outlined  above  well  in  advance  of  any 
heat-of-the-moment  project  negotia¬ 
tions.  The  seeds  of  a  project’s  success, 
or  failure,  are  planted  at  the  beginning 
stages,  so  this  is  where  you  need  to  roll 
up  your  sleeves.  When  the  time  is  right, 
you  need  to  summon  the  courage  to  act 
decisively  and  reject  the  temptations  to 
leverage  your  positional  power  to  get 
others  to  say  what  you  want  to  hear. 

As  an  executive,  my  greatest  fear  was 
that  my  employees  would  do  exactly 
what  I  told  them  to  do  rather  than 


challenging  me  and  working  with  me  to 
develop  industrial-strength  solutions.  It 
takes  a  lot  of  courage  to  face  issues  and 
negotiate  with  customers  and  the 
powers  that  be.  Trust  your  organization, 
fight  back  your  fear  of  failure,  and  do 
what’s  right  for  the  good  of  all. 


Reader  Q&A 

Susan  H.  Cramm  answers 
questions  on  “Project  Courage” 

Q:  How  many  “death  march”  projects 
are  because  of  poor  management,  and 
how  many  projects  spiral  downward  due 
to  lack  of  support  from  senior  manage¬ 
ment?  Sometimes  project  managers 
mean  well  but  have  their  hands  tied— 
and  get  blamed  for  the  failures.  Do  you 
have  statistics  of  this  nature? 

A:  Edward  Yourdon  believes  death 
march  projects  exist  because  people  are 
essentially  idiots.  If  you  take  the  time  to 
review  his  more  detailed  analysis  of  the 
reasons  for  death  march  projects 
(including  politics,  naive  or  overly 
aggressive  promises  and  optimism,  and 
unforeseen  pressures  due  to  competi¬ 
tion,  regulation  and  so  on),  it  is  easy  to 
see  that  there  is  plenty  of  blame  to  go 
around— at  senior  and  junior  levels, 
both  in  and  outside  of  IT.  Rather  than 
placing  blame,  though,  I  think  it's  the 
job  of  senior  managers  to  summon  the 
courage  to  get  their  hands  dirty,  avoid 
the  allure  of  unreasonable  leadership 
edicts,  and  exert  the  influence  neces¬ 
sary  to  bring  projects  back  to  reality. 

Q:  Your  trump-the-time-frame  sugges¬ 
tion  suffers  from  a  general  manage¬ 
ment  fallacy:  to  give  an  end  date  for  a 
deliverable  rather  than  produce  a 
reasonable  estimate.  Your  suggestion 
will  result  in  project  personnel  saying 
they  will  do  what  management  wants, 
and  then  five  months  into  the  time  box, 
they’ll  tell  the  bosses  that  they  are 


going  to  miss  by  three  months. 

What  I  expected  to  see  in  your  column 
was  an  emphasis  on  planning.  In  my 
more  than  20  years  in  IT  projects,  I 
have  found  that  projects  fail  due  to  a 
lack  of  planning  at  the  beginning. 
Project  disasters  occur  because 
managers  are  not  honest  with  the 
project  teams,  or  with  themselves. 
Tricks  on  the  time  line  or  the  business 
case  will  not  change  an  executive  who 
is  not  willing  to  listen. 

A:  Project  scope  is  often  determined 
subjectively— more  like  a  popularity 
contest  rather  than  a  fact-based, 
rational  business  decision  process.  If 
we  take  the  approach  of  letting  scope 
be  the  input  and  time  the  output,  then 
project  scope  will  always  be  too  big  and 
the  time  frame  too  long.  But  if  we  let 
value  and  time  be  inputs  and  scope  and 
resources  be  the  outputs,  then  we  give 
the  project  team  the  opportunity  to  tell 
us  what  the  alternatives  are  (given 
different  assumptions). 

Q:  When  a  project  gets  out  of  hand,  how 
does  one  manage  to  get  to  a  solution, 
with  no  change  in  resources  and  budget? 
Is  a  down-scoped  solution  viable? 

A:  If  time  is  an  input,  scope  must  be  an 
output.  Some  people  believe  that  an 
organization’s  top  priorities  are  unsolv- 
able  in  the  short  term.  As  a  CIO  friend 
of  mine  says,  if  an  issue  is  a  top  priority, 
there  are  a  series  of  unknowns  that 
prevented  the  issue  from  being 
addressed  early  on,  thereby  allowing  it 
to  grow  to  a  top  priority.  If  this  is  true, 
the  only  approach  is  to  experiment  until 
the  problem  is  better  understood  and 
the  solution  is  close  at  hand.  BEI 


To  see  more  reader  questions  and  answers 
from  Susan  H.  Cramm,  go  to  www.cio.com/ 
leadership/agenda. html.  Cramm  is  president  of 
Valuedance,  an  executive  coaching  firm  based  in 
San  Clemente,  Calif.  Her  e-mail  address  is 
scramm@cox.net. 
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8§  Remedy 

a  BMC  Software  company  " 


Out-of-the-Box 
Best  Practices 


Now  more  than  ever  you  need  to  control  costs.  Software  solutions  implemented  straight  out  of  the  box  may  appear  cheaper  and 
faster  to  implement.  The  problem  is,  with  rigid  applications  dictating  how  you  run  your  business,  your  teams  risk  being  trapped 
inside  the  box. 

What  if  you  found  Service  Management  solutions  that  deliver  industry  best  practices-like  ITIL-and  also  empower  you  to  implement 
the  unique  processes  that  maximize  the  value  ot  your  IT  and  service  support  organizations?  With  Remedy,  you  have  it  all. 

Remedy’s  Service  Management  software  solutions,  including  Help  Desk,  Customer  Support,  Asset  Management,  and  Change 
Management,  deliver  out  of  the  box,  and  outside  the  box-quickly,  easily,  within  your  budget. 


Outside-the-Box 
Thinking 


www.remedy.com/advantage 

or  call  us  at  1.888294.5757 


You  r  Business,  You  r  Way." 


You  want  to  think  outside  the  box. 
Your  budget  calls  for  “out  of  the  box.” 
Don’t  you  wish  you  could  have  both? 
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The  Best  Place  to 
Be  a  CIO  orto  See 
aCIOisataCIO 
Magazine  event. 

— B.  Lee  Jones,  CIO, 

DMC  Stratex  Networks 


CIO  Magazine’s  Executive  Programs 
are  the  place  for  CIOs  to  learn  from 
industry  experts  and  from  one  another. 
We  bring  together  the  best  and  the 
brightest  to  keep  you  informed, 
stimulate  your  thinking,  and  sanity- 
check  yourself  against  your  peers. 

We  limit  attendance  to  qualified, 
senior  IT  executives  from  business, 
government  and  leading  not-for-profit 
organizations.  Join  us  at  one  of  our 
events  in  2004. 

Call  us  at  800.366.0246  or  visit 
www.cio.com/conferences 


Upcoming  Events! 

February  8-  10,  2004 

Enterprise  Value  Retreat 
&  Awards  Ceremony 

Trump  International  Sonesta  Beach  Resort 
Sunny  Isles  Beach,  Florida 

April  18-20,  2004 

CIO  Perspectives5 

La  Costa  Resort  &  Spa 
Carlsbad,  California 


August  22-24,  2004 

CIO  100  Symposium® 
&  Awards  Ceremony 

Hotel  del  Coronado 
Coronado,  California 


The  Resource  for 
Information  Executives 


CIO  ENTERPRISE 

VALUE  RETREAT 

AWARDS  CEREMONY 


FEBRUARY  8  -  10,  2004 

TRUMP  INTERNATIONAL  SONESTA  BEACH  RESORT 
SUNNY  ISLES  BEACH,  FLORIDA 


IT’S  ALL  ABOUT  I.T.  VALUE 


This  is  the  event  for  CIOs  who  are  concerned  with 
articulating,  delivering  and  demonstrating  the  value  IT 
brings  to  the  enterprise.  While  some  pundits  say  IT  is  only  a 
commodity,  we  believe  IT  continues  to  be  at  the  forefront  in 
increasingyourcompetitive  advantage.  Togiveyou  more 
ways  of  looking  at  IT  value,  we  incorporate  research  and  case 
studies  from  Peter  Weill’s  work  at  MIT  Sloan  School  of 
Management.  We  put  you  together  with  CIOs  who  are  the 
winners  of  this  year’s  CIO  Enterprise  Value  Awards. 

And  we  give  you  the  opportunity  to  learn  from  each  other. 


Call  800.355.0246  or  visit  us  at  www.cio.com/conferences 


The  discussion  and 
information  exchange 
with  peers  is  invalu¬ 
able.” 


Robert  Odenheimer, 
SVP,  IT  Operations, 
Magellan  Behavioral  Health 


“The  content  presented 
by  Peter  Weill  was  an 
excellent  framework  to 
discuss  current  chal¬ 
lenges  with  a  very 
interesting 
peer  group.” 

Chris  Acton,  Global  IS, 
RioTinto  Borax 


“Lessons  learned  are 
not  the  usual  aca¬ 
demic  fare,  but  the 
subtleties  of  the  cul¬ 
tural  and  technological 
minefields.” 

Evelyn  Lockett  Woods, 
EVP/CIO,  Joint  Commission  on 
Accreditation  of  Healthcare 
Organizations 


Call 

800.355.0246 
or  visit  us  at 
www.cio.com/ 
conferences 


Retreat  Moderator 

Peter  Weill 

Director,  Center  for 
Information  Systems 
Research,  MIT  Sloan 
School  of  Management 


The  Case 
Studies 

Peter  Weill  once  again  presents 
new  findings  and  case  studies 
from  work  with  hundreds  of 
Global  1000  companies,  focus¬ 
ing  on  three  key  areas:  IT  infra¬ 
structure  for  strategic  agility, 
effective  business  models,  and 
IT  governance. 

>  IT  Infrastructure  for 
Strategic  Agility 

Strategic  agility— the  ability  to 
implement  new  business  initia¬ 
tives  quickly  and  cost  effectively 
—will  be  an  increasingly  impor¬ 
tant  capability  for  enterprises  in 
2004.  IT  infrastructure  is  one  of 
the  critical  platforms  required 
for  strategic  agility.  Investing  in 
the  right  infrastructure  at  the 
right  time  enables  rapid  imple¬ 
mentation  of  future  electroni¬ 
cally  based  business  initiatives 
and  cost  reduction  of  current 
business  processes— i.e.,  more 
business  value.  This  session 
presents  a  framework  for  senior 
executives  to  view  IT  infrastruc¬ 
ture  in  business  terms  and  to 
lead  in  making  investment  deci¬ 
sions.  Weill  illustrates  how  firms 
successfully  implement  and 
exploit  their  IT  infrastructures 
with  several  case  studies. 

>  Do  Some  Business 
Models  Perform  Better 
than  Others? 

In  an  increasingly  connected 
business  world  the  business 


model— what  a  firm 
does  and  how  they 
make  money— is  a 
critical  strategic 
decision.  Under¬ 
standing  what  busi¬ 
ness  models  are 
used,  how  they  are 
combined,  and  which  are  most 
successful  is  important  for  every 
senior  manager.  In  addition, 
firms  implementing  each  model 
use  IT  differently— resulting  in 
different  IT  portfolios.  This  pres¬ 
entation  provides  a  new  and 
powerful  way  to  analyze  a  firm’s 
business  model  and  then  think 
about  the  IT  needs. 

>  IT  Governance  Workshop 

In  response  to  strong  interest  in 
last  year’s  session  on  IT  gover¬ 
nance,  Weill  leads  a  workshop 
on  how  top  performers  govern. 
He  presents  case  studies  and 
insights  from  MIT  CISR’s  study 
of  effective  IT  governance  in  256 
enterprises  in  23  countries.  A 
framework  is  presented  in  this 
workshop  to  analyze  and  com¬ 
municate  governance,  illus¬ 
trated  with  cases  studies  of  top 
performers. 

>  Monday’s  Case  Study 
Workgroups 

Monday  at  lunch  we  divide  into 
small  groups  to  investigate  the 
link  between  business  strategy 
and  IT  infrastructure  in  a  new 
case  study.  The  case  is  based  on 
a  global  multi-business  unit  firm 
in  the  healthcare  industry  mov¬ 
ing  from  a  fully  decentralized 
approach  to  information  tech¬ 
nology  to  providing  some  firm¬ 
wide  IT  infrastructure.  The 
challenge  for  your  group  is  to 
advise  the  newly  appointed  CIO. 
Groups  will  report  back  with 
their  recommendations. 


The  Enterprise 
Value  Award 
Winners 

They’re  scrutinized  by  CIO  edi¬ 
tors,  Review  Board  members, 
and  our  judging  panel  of  top- 
notch  CIOs.  Meet  the  winners  of 
the  prestigious  CIO  Enterprise 
Value  Award  and  learn  how  they 
delivered  true  value. 

>  The  Value  Proposition 

Our  panel  of  CIO  Enterprise 
Value  Award  winners  talks  about 
the  ongoing  difficulty  inherent  in 
demonstrating  and  delivering  IT 
value.  How  do  you  convince  your 
CEOs,  CFOs  and  COOs— who 
may  think  IT  is  just  a  commodity, 
a  utility— that  its  intelligent 
application  and  deployment  can 
and  does  indeed  bring  strategic 
value  to  the  business. 

>  Monday  Night’s  Gala 
Awards  Ceremony  &  Dinner 

We'll  announce  the  winner  of  the 
Grand  CIO  Enterprise  Value 
Award— and  honor  all  the  win¬ 
ners  in  the  industry  categories 
at  a  black-tie  reception,  awards 
ceremony  and  dinner.  It's  a 
great  time  to  celebrate  with  your 
CIO  peers. 

>  Conversations  with 
This  Year's  Winners 

We  offer  breakout  sessions  with 
the  CIOs  of  this  year’s  winning 
organizations.  It’s  your  chance 
to  talk  at  a  more  intimate  level, 
discuss  their  particular  case  in 
more  detail  and  take  away  les¬ 
sons  you  can  apply  to  your  own 
organization  back  home. 


The  Peer 
Networking 

CIOs  tell  us  it’s  as  important  to 
have  opportunities  to  meet  infor¬ 
mally  with  their  peers  as  it  is  to 
participate  in  the  Retreat  ses¬ 
sions.  We  give  you  more  oppor¬ 
tunities  to  meet  and  learn  from 
more  of  your  peers  over  three 
days,  with  the  golf  tournament 
Sunday  morning,  informative 
chats  at  breakfast  and  lunch 
roundtables,  the  intensely  inter¬ 
active  case  study  workgroup  ses¬ 
sions,  and  relaxed  conversations 
during  the  daily  receptions.  And 
we're  happy  to  hook  you  up  with 
other  attendees  or  corporate 
sponsors  you'd  like  to  meet. 


Sunday  Night  Special  Event 


Jimmy  Tingle’s 
Uncommon  Sense 


It's  a  scary,  unpredictable— and 
absurd— world  we  live  in.  Satirist, 


comedian  and  com¬ 
mentator  Jimmy 
Tingle  takes  us  on  a 
highly  personalized 
tour  of  the  absurdi¬ 
ties  of  modern  life. 
You've  got  to  laugh 
to  survive. 


This  year’s  Enterprise  Value  Retreat 
Awards  Ceremony  is  proudly 
underwritten  by 

<bmcsoftware 
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COVER  STORY 
How  to  Find,  Fix  or  Fire 
Your  Poor  Performers 

By  Meridith  Levinson  I  60 

Most  IT  managers  would  rather 
have  a  tooth  pulled  than  have  a 
performance  conversation  with  a 
subordinate  who  is  not  doing  well.  Yet, 
poor  performers  in  the  IT  workplace  can  be 
like  a  virus,  infecting  other  workers  on  the 
team  whose  morale  may  already  be  under 
strain  from  the  impact  of  the  weak  econ¬ 
omy.  CIOs,  in  response  to  the  pressure  to 
trim  the  workforce  and  budget  while  main¬ 
taining  productivity,  must  become  more 
diligent  in  routing  out  poor  performers. 

One  method,  forced  ranking,  has  become 
increasingly  practiced  by  large  companies. 
This  tough-minded  approach  obligates 
managers  to  rank  each  staffer’s  perform¬ 
ance  against  one  another.  Bottom-dwellers 
typically  are  pushed  out  or  encouraged  to 
leave.  Forced  ranking  is  a  sledgehammer 
approach  that  some  say  does  more  harm 
than  good.  They  contend  it  ends  up  drain¬ 
ing  employee  morale,  eliminating  coopera¬ 
tion  and  even  resulting  in  good  workers 
being  cut.  But  forced  ranking  can  also  be 
applied  in  a  less  draconian  and  more  effec¬ 
tive  way.  CIOs  from  such  companies  as 
McKesson,  Primedia,  Tenneco  and  others 
describe  how  they  have  successfully  identi¬ 
fied  their  bad  eggs,  made  them  take  respon¬ 
sibility  for  their  performance  and  sent  them 
packing  when  necessary. 


“Life  is  a  bell  curve. 
Get  used  to  it.” 

-CHERYL  SMITH, 
SENIOR  VP  ANDCIO, 
MCKESSON  CORP. 


Be  a  Spam  Slayer  By  Alice  Dragoon  I  72 

IF  THERE’S  ONE  WAY  TO  MAKE  A  CIO  look  like  a  hero,  it’s  vanquishing  spam.  Stamp  out 
this  productivity-sapping  e-mail  menace,  and  you’ll  be  lauded  by  CEOs  and  secretaries  alike.  Of 
course,  it  isn’t  easy.  The  risk  of  false  positives  rises  exponentially  with  the  more  spam  you  destroy. 
Analysts  currently  recommend  a  lethal  “spam  cocktail”:  a  variety  of  approaches  that  work  together 
to  generate  a  spam  probability  score.  Companies  set  up  rules  to  delete,  deliver  or  quarantine  messages 
depending  on  how  they  score — but  the  rules  must  fit  the  culture  of  the  company.  CIOs  can  turn  to  a 
third-party  service  provider  that  can  bring  a  full  battery  of  arms  to  bear  against  spam,  but  this  new 
industry  still  faces  consolidation  and  shakeout. 


Getting  the  Best 

from  Your  Vendors  (What  Really  Works)  ByEiana  varon  I  84 

IN  A  RECENT  CIO  SURVEY  ON  VENDOR  VALUE,  negotiating  lower  vendor  fees  was  the 
most  common  technique  for  wringing  value  out  of  vendor  relationships.  But  lowballing  doesn’t 
necessarily  pay  off — nearly  two-thirds  of  survey  respondents  said  it  wasn’t  effective  at  adding  value  to 
their  business.  It  didn’t  make  employees  more  productive  or  generate  new  business.  And  in  many 
cases,  it  boomeranged  into  poor  service  and  support  from  the  vendor.  The  survey  showed,  instead, 
that  crafting  airtight  contracts  that  balance  toughness  with  fairness  and  developing  comprehensive 
service-level  agreements  have  a  much  better  chance  to  return  business  value.  The  more  specific  the 
SLA,  the  better,  so  both  customer  and  vendor  agree  about  what  is  to  be  delivered  and  when,  and  how 
much  it’s  going  to  cost. 


Strategy  in  Action  By  Christopher  Koch  I  94 

WHEN  IT  COMES  TO  BUSINESS  STRATEGY,  going  from  concept  to  actual  execution  is 
where  nine  out  of  10  companies  fail,  according  to  Robert  Kaplan  and  David  Norton,  who  in  1990 
developed  the  Balanced  Scorecard.  In  their  latest  collaboration,  Kaplan  and  Norton  offer  a  “strat¬ 
egy  map,”  a  multilevel  model  to  help  companies  articulate  strategy  and  what  has  to  happen  to 
make  it  actionable.  At  its  highest  level,  the  map  defines  the  objectives  for  long-term  value,  growth 
and  productivity.  The  second  level  defines  a  value  proposition  for  the  customer,  based  on  price, 
quality,  relationship,  brand  and  so  forth.  The  third  level  defines  the  processes  to  emphasize  in  order 
to  create  that  value  proposition  and  satisfy  that  customer.  The  map’s  foundational  level  is  the  peo¬ 
ple,  the  technology  and  the  organizational  climate — the  intangible  assets. 


FrankenPatch  By  Scott  Berinato  I  100 

PLUGGING  SECURITY  HOLES  with  software  patches  is  a  method  that  no  longer  works.  Partly, 
it’s  a  volume  problem.  There  are  simply  too  many  vulnerabilities  requiring  too  many  combinations  of 
patches  coming  too  fast.  But  perhaps  more  important  and  less  well  understood  is  the  process  problem. 
The  current  manufacturing  process  for  patches — from  disclosure  of  a  vulnerability  to  the  creation  and 
distribution  of  the  updated  code— makes  patching  untenable.  At  the  same  time,  though,  the  unfortu¬ 
nate  answer  is  that  the  only  way  to  fix  insecure  post-release  software  (that  is,  all  software)  is  with 
patches.  This  catch-22  has  sent  patching  and  the  newly  minted  discipline  associated  with  it — patch 
management — into  the  realm  of  the  absurd.  More  than  a  necessary  evil,  it  has  become  a  mandatory 
fool’s  errand.  What’s  a  CIO  to  do?  It’s  either  time  to  patch  less — by  replacing  the  process  with  vigor¬ 
ous  best  practices  and  a  little  bit  of  risk  analysis — or  it’s  time  to  patch  more — by  automating  the 
process  with,  yes,  more  software. 
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